Index: ldapplugin/api.py
===================================================================
--- ldapplugin/api.py   (revision 2262)
+++ ldapplugin/api.py   (working copy)
@@ -146,15 +146,24 @@

     def _get_user_groups(self, username):
         """Returns a list of all groups a user belongs to"""
-        ldap_groups = self._ldap.get_groups()
+        ldap_groups = self._ldap.get_groups(self.util.get_group_rdn())
+        ## dump some useful debug
+        ## outp = open("/tmp/trac2.log","a")
         groups = []
         for group in ldap_groups:
-            if self._ldap.is_in_group(self.util.user_attrdn(username), group):
-                m = DN_RE.search(group)
-                if m:
-                    groupname = GROUP_PREFIX + m.group('rdn')
-                    if groupname not in groups:
-                        groups.append(groupname)
+            rdntuple = self.util.user_attrdn(username)
+            for rdnitem in rdntuple:
+                ## print >> outp, ("user: %s - trying group %s (userdn=%s)" % (username,group,rdnitem))
+                if group!=None:
+                    if self._ldap.is_in_group(rdnitem, group):
+                        m = DN_RE.search(group)
+                        if m:
+                            groupname = GROUP_PREFIX + m.group('rdn')
+                            if groupname not in groups:
+                                groups.append(groupname)
+                            ##print >> outp, ("  group %s: found %s" % (group,groupname))
+        ##print >> outp, ("---")
+        ##outp.close()
         return groups

 class LdapPermissionStore(Component):
@@ -453,6 +462,9 @@

     def is_group(self, username):
         return username.startswith(GROUP_PREFIX)
+
+    def get_group_rdn(self):
+        return self.group_rdn

     def create_dn(self, username):
         """Create a user or group LDAP DN from his/its name"""
@@ -471,11 +483,13 @@

     def user_attrdn(self, user):
         """Build the dn for a user"""
+        # in all cases we return a list, even if the list
+        # consists of one item
         if self.user_rdn:
-            return "%s=%s,%s,%s" % \
-                   (self.uidattr, user, self.user_rdn, self.basedn)
+            rdntuple = self.user_rdn.split('|')
+            return [ "%s=%s,%s,%s" % (self.uidattr, user, rdnitem, self.basedn) for rdnitem in rdntuple ]
         else:
-            return "%s=%s,%s" % (self.uidattr, user, self.basedn)
+            return ["%s=%s,%s" % (self.uidattr, user, self.basedn)]

     def extract_user_from_dn(self, dn):
         m = DN_RE.search(dn)
@@ -536,9 +550,12 @@
         self._ds.unbind_s()
         self._ds = None

-    def get_groups(self):
+    def get_groups(self, group_rdn):
         """Return a list of available group dns"""
-        groups = self.get_dn(self.basedn, 'objectclass=' + self.groupname)
+        if group_rdn:
+            groups = self.get_dn("%s,%s" % (group_rdn,self.basedn), 'objectclass=' + self.groupname)
+        else:
+            groups = self.get_dn(self.basedn, 'objectclass=' + self.groupname)
         return groups

     def is_in_group(self, userdn, groupdn):