function is_dn_member_of_group($userDn, $groupDn)
{
    $ldap = $this->get_ldap_connection();
    $link = $ldap->getLink();

    $spos = strpos($userDn, "=");
    if ($spos == true) { $spos = strpos($userDn, ","); $userDn = substr($userDn, 4, $spos-4); }

    $r = @ldap_compare($link, $groupDn, $this->uniqueMember_attribute, $userDn);

when you use this with openldap, the userDN does not match what the memberID will be. the userDn is "uid=abc.abc,dc=example,dc=com" but the memberID within the group is abc.abc i needed to change plugins/LdapCommon/LdapCommon.php and the function is_dn_member_of_group to be function is_dn_member_of_group($userDn, $groupDn) { $ldap = $this->get_ldap_connection(); $link = $ldap->getLink(); # just get the username and remove the rest $spos = strpos($userDn, "="); if ($spos == true) { $spos = strpos($userDn, ","); $userDn = substr($userDn, 4, $spos-4); } # now do the compare $r = @ldap_compare($link, $groupDn, $this->uniqueMember_attribute, $userDn); but i suppose that changing LdapAuthorizationPlugin.php and the function hasRole to check both the full userDn and just the username would be better