Thanks for your answer, Patrick! The Problem that I cannot change algorithm of search. I try to use pGina with module LDAP Auth at the enterprise. In LDAP Auth plugin there are the parameters, allowing to rank the user as the certain group on a workstation. For this purpose parameters userOK0-255 and adminOK0-255 are used. And they demand presence of property groupMembership in the scheme of the user. The citation from the documentation to LDAP Auth plugin: "If you do searching, uid (indicating a unique, alphanumeric username, not a Unix number) is required unless you change the filter. For the binds, it literally attempts a bind with username, so bracket the username with whatever you call these attributes. For userOK and adminOK, the user class must support the attribute groupMembership as the user will be queried, not the group. If your users have full control over their own attributes, this is not secure. If your directory does not implement this, and instead requires querying the group, support for that is not yet written (and may never be as it is somewhat silly)." groupMembership (I have in view of the name) it is possible to replace property with another. Safonov A. >In that case you're probably looking at two lookups: one to get the dn of the user, and a second to check for groups that have the dn as a uniqueMember.
