Hi, We currently have our users authenticating via ntlm_auth and would like to make authorization decisions based on group membership. The radius server is joined to the domain and standard Unix commands calling getpwnam will return expected data: # id user.name uid=123456789(user.name) gid=234567890(domain users) groups=234567890(domain users),345679012(noc),4567890123(vpm),5678901234(ipmi) Looking at various modules available to handle this I'm encountering the following problems with each (usual caveats about how I may be misreading the docs): rlm_pam: appears to only be set up to work for authentication rlm_passwd: appears to want a file rlm_unix: also appears to want a file to read? (maybe?) I'm hoping one of these above or perhaps something else can be used in the authorize section such that if a user logs in, and that user's group membership includes the required group (say, ipmi), then the authorization will be accepted. It's just not clear to me how to proceed here.