MS AD, LDAP works -> how to check for group membership?

[Shelbyville.Unwired]

I would like to check group membership before authenticating user
login requests.

I currently have radiusd.conf setup such that all users can login.
However after spending several days reading man pages, and searching
these archives I haven't found the key that unlocks my problem.

radiusd.conf

# <snip>

ldap {
     server = "xx.xx.xx.xx" # ad server address
     identity = "cn=some_user,cn=users,dc=domain,dc=com" # bind account
     password = "xxx" # bind account password
     basedn = "cn=users,dc=domain,dc=com" # base dn
     filter = "(sAMAccountName=%{Stripped-User-Name:-%{User-Name}})" # uid
     start_tls = no # nope
     dictionary_mapping = ${raddbdir}/ldap.attrmap # default
     ldap_connections_number = 5 # why not
     password_attribute = userPassword # no need to explain

# ok this is where things get real fuzzy - I've read rlm_ldap several times...

     timeout = 4
     timelimit = 3
     net_timeout = 1
}

Users file remains untouched.

Specifically what else do I need to if a user is a member of XYZ_group
and if so authenticate them.

Any help would be greatly appreciated. TYIA.