I'm not really sure if I'm doing this right, maybe someone can provide guidance. I have two problems a) how to structure my directory and b) how to do two lookups in rlm_ldap. But, effectively, LDAP is our authorization store and I'm proxying RADIUS to an RSA server for authentication only. We're removing all authorization from RSA. So, I've got devices in ou=Hosts,dc=blah,dc=com that are following the ipHost objectClass. Basically, I need a mechanism to put those devices into 'groupOfIpHosts' - which isn't a real concept. So, I use the 'seeAlso' attribute to reference a group of systems for that particular ipHost. Then, I lookup that group and check if the user authenticating is a uniqueMember in that group. So, I'm basically doing two ldap lookups. Right now, I'm doing it in an rlm_perl module which has obvious disadvantages (ldap persistence). So a) is there a better way to structure my directory? b) can I do multiple ldap lookups using rlm_ldap to achieve same end goal? LDAP calls looks like this now 1) get the hosts group $mesg = $ldap->search( base => "ou=Hosts,dc=comcast,dc=com", filter => "(&(ipHostNumber=$ipaddress))", attrs => ["seeAlso"], ); ## returns group membership into $group 2) verify user in group $mesg = $ldap->search ( base => $group, filter => qq{(&(uniqueMember=uid=$username,ou=users,dc=comcast,dc=com))}, attrs => ["uniqueMember"], );