--- LDAPAuthenticateUser.php	2007-08-30 04:20:00.000000000 +0200
+++ a	2007-09-20 14:52:36.000000000 +0200
@@ -96,8 +96,22 @@
 			// Authentication succeeded, get info from LDAP directory
 			$attrs = array_keys($GLOBALS['ldapConfig']['users']['fields']);
 			$base_dn = $GLOBALS['ldap_config']->settings['ldap_base_dn'];
-			$name_filter = "(" . $GLOBALS['ldap_config']->settings['ldap_login_attr']. "=" . $name . ")";
+
+  			//check group membership
+			$result = @ldap_search($ldapconn, "cn=SugarCRM,ou=Groups,$base_dn", "(memberUid=$name)", $attrs);
+			$info=@ldap_get_entries($ldapconn, $result);
+			if (strtolower($name)=="administrator" || $info[0])
+			{
+				$GLOBALS['log']->debug("ldapauth: Group membership OK");
+			}
+			else
+			{
+				$GLOBALS['log']->debug("ldapauth: FAILED, $name not member of SugarCRM group!");
+				return '';
+			}
+			
 	
+			$name_filter = "(" . $GLOBALS['ldap_config']->settings['ldap_login_attr']. "=" . $name . ")";
 			$GLOBALS['log']->debug("ldapauth: Fetching user info from Directory.");
 			$result = @ldap_search($ldapconn, $base_dn, $name_filter, $attrs);
 			 if($this->loginError($error)){