diff -burN OpenTRS.orig/Kernel/Config.pm OpenTRS/Kernel/Config.pm
--- OpenTRS.orig/Kernel/Config.pm	Fri Nov 29 14:52:51 2002
+++ OpenTRS/Kernel/Config.pm	Fri Nov 29 15:34:42 2002
@@ -134,8 +134,13 @@
     # (take care that Net::LDAP is installed!)
     $Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP';
     $Self->{'AuthModule::LDAP::Host'} = 'ldap1.d1.net-m.de';
-    $Self->{'AuthModule::LDAP::BaseDN'} = 'dc=net-m,dc=de';
+    $Self->{'AuthModule::LDAP::BaseDN'} = 'ou=user,dc=net-m,dc=de';
     $Self->{'AuthModule::LDAP::UID'} = 'uid';
+
+    # check if the user is allowed to auth in a posixGroup
+    $Self->{'AuthModule::LDAP::GroupDN'} = 'cn=otrsallow,ou=posixGroups,dc=net-m,dc=de';
+    $Self->{'AuthModule::LDAP::access_attr'} = 'memberUid';
+
     # The following is valid but would only be necessary if the
     # anonymous user do NOT have permission to read from the LDAP tree 
 #    $Self->{'AuthModule::LDAP::SearchUserDN'} = '';
diff -burN OpenTRS.orig/Kernel/System/Auth/LDAP.pm OpenTRS/Kernel/System/Auth/LDAP.pm
--- OpenTRS.orig/Kernel/System/Auth/LDAP.pm	Sat Aug  3 13:57:43 2002
+++ OpenTRS/Kernel/System/Auth/LDAP.pm	Fri Nov 29 15:33:57 2002
@@ -53,6 +53,8 @@
      || die "Need AuthModule::LDAPBaseDN in Kernel/Config.pm";
     $Self->{SearchUserDN} = $Self->{ConfigObject}->Get('AuthModule::LDAP::SearchUserDN') || '';
     $Self->{SearchUserPw} = $Self->{ConfigObject}->Get('AuthModule::LDAP::SearchUserPw') || '';
+    $Self->{GroupDN} = $Self->{ConfigObject}->Get('AuthModule::LDAP::GroupDN') || '';
+    $Self->{access_attr} = $Self->{ConfigObject}->Get('AuthModule::LDAP::access_attr') || '';
    
     return $Self;
 }
@@ -110,9 +112,33 @@
         $UserDN = $Entry->dn();
     }
     # --
+    # just in case
+    # --
+    if ($Self->{Debug} > 0) {
+      $Self->{LogObject}->Log(
+        Priority => 'notice',
+        Message => "check for groupdn!",
+      );
+    }
+    # --
+    # search if we're allowed to
+    # --
+    my $Result2 = $LDAP->search ( 
+      base   => $Self->{GroupDN},
+      filter => "($Self->{access_attr}=$Param{User})"
+    ); 
+    # --
+    # extract it
+    # --
+    my $GroupDN = '';
+    foreach my $Entry ($Result2->all_entries) {
+      $GroupDN = $Entry->dn();
+    }
+
+    # --
     # log if there is no LDAP entry
     # --
-    if (!$UserDN) {
+    if ((!$UserDN) || (!$GroupDN)) {
         # --
         # failed login note
         # --
@@ -130,7 +156,7 @@
     # bind with user data
     # --
     $Result = $LDAP->bind(dn => $UserDN, password => $Param{Pw});
-    if ($Result->code) {
+    if (($Result->code) || ($Result2->code)) {
         # --
         # failed login note
         # --