Hi, I have configured oVirt authentication against our MicroFocus/Novell eDirectory (edir) ldap. It is working fine on per user base. Now I am tried to set permissions per group but it seems does not work. My CRO.properties --- include = <rfc2307-edir.properties> vars.server = ldap.******** vars.port = 389 vars.user = cn=******************* vars.password = ******************* pool.default.serverset.single.server = ${global:vars.server} pool.default.serverset.single.port = ${global:vars.port} pool.default.auth.simple.bindDN = ${global:vars.user} pool.default.auth.simple.password = ${global:vars.password} pool.default.ssl.startTLS = true pool.default.socketfactory.resolver.supportIPv6 = false sequence-init.init.100-my-edir-init-vars = my-edir-init-vars sequence.my-edir-init-vars.010.description = set baseDN sequence.my-edir-init-vars.010.type = var-set sequence.my-edir-init-vars.010.var-set.variable = simple_baseDN sequence.my-edir-init-vars.010.var-set.value = o=su search.default.search-request.derefPolicy = ALWAYS --- I am able search groups in manager but users with permissions per group are unable to login with "The user *********** with profile [CRO] is not authorized to perform login". When I try debug it with ovirt-engine-extensions-tool aaa login-user --profile=CRO --user-name=******* I can see common attributes (name, email,...) in PrincipalRecord but not any record mentioned group membership. Group which holds this user has posixGroup objectClass and member attributes which points to dn of users. There were also similar post in this list in 2019 which unfortunately was not much specific with solution https://lists.ovirt.org/archives/list/users@ovirt.org/thread/PBQXDJGOZ2ET... Could any suggest how to better debug this or how to modify group search filter in my profile to work with member attribute? Thanks in advance, Jiri