This works: Require ldap-attribute memberof="cn=cactiaccess,cn=groups,cn=accounts,dc=example,dc=net" but only if I also provide a username/password for apache to bind as. Doesn't work with unauthenticated binds. -jf