which syntax should apply to ldap groups ? valid users = @group or valid user = @WORKGROUP/group this is the group ou being searched. ldap group suffix = ou=Group and this is what groups look like in ldap dn: cn=mygroup,ou=Group,dc=mydomain,dc=com objectClass: posixGroup objectClass: top cn: mygroup gidNumber: 10004 memberUid: user1 memberUid: user2