--- pam_ldap-176/pam_ldap.h	Tue Mar 16 17:53:29 2004
+++ pam_ldap-mg-176/pam_ldap.h	Wed Mar 17 18:16:04 2004
@@ -37,6 +37,14 @@
 #include <pam/pam_modules.h>
 #endif
 
+typedef struct _groupdn groupdn;
+
+struct _groupdn
+  {
+    char *name;
+    groupdn * next;
+  };
+
 typedef struct pam_ssd
   {
     char *base;
@@ -92,7 +100,7 @@
     /* service attribute checking, for access authorization */
     int checkserviceattr;
     /* group name; optional, for access authorization */
-    char *groupdn;
+    groupdn *groups;
     /* group membership attribute; defaults to uniquemember */
     char *groupattr;
     /* LDAP protocol version */
--- pam_ldap-176/pam_ldap.c	Tue Mar 16 17:53:29 2004
+++ pam_ldap-mg-176/pam_ldap.c	Wed Mar 17 18:31:33 2004
@@ -480,9 +480,16 @@
       free (c->groupattr);
     }
 
-  if (c->groupdn != NULL)
+  if (c->groups != NULL)
     {
-      free (c->groupdn);
+      groupdn *cur,*last;
+      cur = c->groups;
+      while (cur!=NULL)
+        {
+          last = cur;
+          cur = cur->next;
+          free(last);
+        }
     }
 
   if (c->filter != NULL)
@@ -619,7 +626,7 @@
   result->ssd = NULL;
   result->userattr = NULL;
   result->groupattr = NULL;
-  result->groupdn = NULL;
+  result->groups = NULL;
   result->getpolicy = 0;
   result->checkhostattr = 0;
   result->checkserviceattr = 0;
@@ -1015,7 +1022,22 @@
 	}
       else if (!strcasecmp (k, "pam_groupdn"))
 	{
-	  CHECKPOINTER (result->groupdn = strdup (v));
+          if (result->groups == NULL)
+            {
+              result->groups = (groupdn *) malloc(sizeof(groupdn));
+              CHECKPOINTER (result->groups->name = strdup (v));
+              result->groups->next = NULL;
+            }
+          else
+            {
+	      groupdn * cur;
+              cur = result->groups;
+              while (cur->next != NULL)
+                  cur = cur->next;
+              cur->next = (groupdn *) malloc(sizeof(groupdn));
+              CHECKPOINTER (cur->next->name = strdup (v));
+              cur->next->next = NULL;
+            }
 	}
       else if (!strcasecmp (k, "pam_member_attribute"))
 	{
@@ -3653,22 +3675,25 @@
 	}
     }				/* password expired */
 
-  /* group auth, per Chris's pam_ldap_auth module */
-  if (session->conf->groupdn != NULL)
-    {
+  /* multiple group auth, per Chris's pam_ldap_auth module */
+  int auth=0;
+  groupdn * cur;
+  for ( cur=session->conf->groups; cur!=NULL && auth==0;cur=cur->next)
+   {
       rc = ldap_compare_s (session->ld,
-			   session->conf->groupdn,
+			   cur->name,
 			   session->conf->groupattr, session->info->userdn);
-      if (rc != LDAP_COMPARE_TRUE)
+      if (rc == LDAP_COMPARE_TRUE)
 	{
-	  snprintf (buf, sizeof buf, "You must be a %s of %s to login.",
-		    session->conf->groupattr, session->conf->groupdn);
-	  _conv_sendmsg (appconv, buf, PAM_ERROR_MSG, no_warn);
-	  return PAM_PERM_DENIED;
+		auth = 1;
+		rc = success;
 	}
-      else
-	rc = success;
-    }
+   }
+  if (auth == 0)
+   {
+      snprintf (buf, sizeof buf, "LDAP Group Authentication Failed.");
+      return PAM_PERM_DENIED;
+   }
 
   if (rc == success && session->conf->checkserviceattr)
     {
--- pam_ldap-176/ldap.conf	Tue Mar 16 17:53:29 2004
+++ pam_ldap-mg-176/ldap.conf	Wed Mar 17 23:05:36 2004
@@ -89,6 +89,8 @@
 #pam_check_service_attr yes
 
 # Group to enforce membership of
+# Multiple groups can be specified by adding one group per pam_groupdn line.
+# Membership in any group will allow access.
 #pam_groupdn cn=PAM,ou=Groups,dc=padl,dc=com
 
 # Group member attribute