squid_ldap_group works for me for a "flat group" containing usernames: /usr/local/squid/libexec/squid_ldap_group \ -h ldapserver \ -D "cn=ldap-administrator,ou=Service Accounts,ou=_SiteMgmt,ou=XY,ou=DE,dc=emea,dc=zf-world,dc=com" \ -W /usr/local/pw-admin \ -b "ou=DE,dc=emea,dc=zf-world,dc=com" \ -f "(&(objectclass=person)(sAMAccountName=%v)(memberof=cn=%a,ou=Groups,ou=XY,ou=DE,dc=emea,dc=zf-world,dc=com))" But structure of out company is a little bit more complex: For every location there is a group say internet-loc<xy> containing all users of this location with right for internetaccess. There is a group INTERNETUSERS containing all subgroups internet_loc<xy>, for example: internetaccess group internet-loc1 jim bob internet-loc2 mary paul internet-loc3 peter internet-loc4 lary robert internet-loc5 werner Now I have to check, whether a user is member of the group internetaccess. The script above does not recognize, that jim is member of the group internetaccess (because he is member of a subgroup). How can I do this? Werner