diff -Naur tnftpd-20100324/configure tnftpd/configure
--- tnftpd-20100324/configure	2010-03-24 05:31:54.000000000 -0700
+++ tnftpd/configure	2010-06-01 17:42:14.000000000 -0700
@@ -20429,7 +20429,7 @@
 for ac_header in sys/resource.h \
                   arpa/inet.h arpa/nameser.h arpa/telnet.h err.h \
                   fcntl.h fnmatch.h grp.h libutil.h limits.h locale.h \
-                  netinet/in.h netinet/in_systm.h netinet/ip.h \
+                  membership.h netinet/in.h netinet/in_systm.h netinet/ip.h \
                   paths.h poll.h pwd.h sys/poll.h \
                   setjmp.h signal.h stddef.h syslog.h termios.h \
                   unistd.h util.h utime.h utmp.h
diff -Naur tnftpd-20100324/configure.ac tnftpd/configure.ac
--- tnftpd-20100324/configure.ac	2010-03-24 05:31:39.000000000 -0700
+++ tnftpd/configure.ac	2010-06-01 17:09:56.000000000 -0700
@@ -198,7 +198,7 @@
 AC_CHECK_HEADERS([sys/resource.h \
                   arpa/inet.h arpa/nameser.h arpa/telnet.h err.h \
                   fcntl.h fnmatch.h grp.h libutil.h limits.h locale.h \
-                  netinet/in.h netinet/in_systm.h netinet/ip.h \
+                  membership.h netinet/in.h netinet/in_systm.h netinet/ip.h \
                   paths.h poll.h pwd.h sys/poll.h \
                   setjmp.h signal.h stddef.h syslog.h termios.h \
                   unistd.h util.h utime.h utmp.h],
diff -Naur tnftpd-20100324/src/ftpd.c tnftpd/src/ftpd.c
--- tnftpd-20100324/src/ftpd.c	2010-05-18 17:05:54.000000000 -1000
+++ tnftpd/src/ftpd.c	2010-05-18 17:09:11.000000000 -1000
@@ -1450,6 +1450,12 @@
 #ifdef USE_PAM
 	int e;
 #endif
+#ifdef HAVE_MEMBERSHIP_H
+	const char	*service_name = "ftp";
+	uuid_t		user_uuid;
+	int		is_member = 0;
+	int		checkit;
+#endif
 
 	rval = 1;
 
@@ -1545,7 +1551,25 @@
 			    remoteloghost, pw->pw_name);
 		goto bad;
 	}
-
+#ifdef HAVE_MEMBERSHIP_H
+	checkit = mbr_uid_to_uuid(pw->pw_uid, user_uuid);
+	if (checkit != 0) {
+		reply(550, "Could not find UUID for this user.");
+		goto bad;
+	}
+	checkit = mbr_check_service_membership(user_uuid, service_name, &is_member);
+	if (checkit == ENOENT) {
+		// no SACL exists; access OK
+	} else if (checkit != 0) {
+		// unexpected error finding group; access denied
+		reply(550, "Could not find membership for this UUID.");
+		goto bad;
+	} else if (is_member == 0) {
+		// user is not in SACL; access denied
+		reply(530, "User %s denied by SACL.", pw->pw_name);
+		goto bad;
+	}
+#endif /* HAVE_MEMBERSHIP_H */
 	login_attempts = 0;		/* this time successful */
 	if (setegid((gid_t)pw->pw_gid) < 0) {
 		reply(550, "Can't set gid.");
diff -Naur tnftpd-20100324/tnftpd.h tnftpd/tnftpd.h
--- tnftpd-20100324/tnftpd.h	2010-05-18 17:05:54.000000000 -1000
+++ tnftpd/tnftpd.h	2010-05-18 17:10:24.000000000 -1000
@@ -173,6 +173,10 @@
 # include <err.h>
 #endif
 
+#if defined(HAVE_MEMBERSHIP_H)
+# include <membership.h>
+#endif
+
 #include "ftpglob.h"
 
 #if defined(HAVE_FNMATCH_H) && HAVE_DECL_FNM_CASEFOLD
diff -Naur tnftpd-20100324/tnftpd_config.h.in tnftpd/tnftpd_config.h.in
--- tnftpd-20100324/tnftpd_config.h.in	2010-03-24 02:27:11.000000000 -1000
+++ tnftpd/tnftpd_config.h.in	2010-05-18 17:07:20.000000000 -1000
@@ -184,6 +184,9 @@
 /* Define to 1 if you have the `madvise' function. */
 #undef HAVE_MADVISE
 
+/* Define to 1 if you have the <membership.h> header file. */
+#undef HAVE_MEMBERSHIP_H
+
 /* Define to 1 if you have the `memmove' function. */
 #undef HAVE_MEMMOVE