This is part of my problem as well. I am trying to get the group name of the LDAP user and write policy based on the group name and user attributes. I have no idea how to do it. Can anyone please help? Thank you! Rong