I would like to check group membership before authenticating user login requests. I currently have radiusd.conf setup such that all users can login. However after spending several days reading man pages, and searching these archives I haven't found the key that unlocks my problem. radiusd.conf # <snip> ldap { server = "xx.xx.xx.xx" # ad server address identity = "cn=some_user,cn=users,dc=domain,dc=com" # bind account password = "xxx" # bind account password basedn = "cn=users,dc=domain,dc=com" # base dn filter = "(sAMAccountName=%{Stripped-User-Name:-%{User-Name}})" # uid start_tls = no # nope dictionary_mapping = ${raddbdir}/ldap.attrmap # default ldap_connections_number = 5 # why not password_attribute = userPassword # no need to explain # ok this is where things get real fuzzy - I've read rlm_ldap several times... timeout = 4 timelimit = 3 net_timeout = 1 } Users file remains untouched. Specifically what else do I need to if a user is a member of XYZ_group and if so authenticate them. Any help would be greatly appreciated. TYIA.