diff --git a/Dockerfile b/Dockerfile
index 38ea865..d6a8337 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -2,9 +2,10 @@ FROM php:8.3-apache
 
 RUN apt-get update \
  && apt-get upgrade -y \
- && apt-get install -y libapache2-mod-auth-openidc git \
+ && apt-get install -y jq ldap-utils libapache2-mod-authnz-external libapache2-mod-auth-openidc git \
  && apt-get clean \
  && (apt-get distclean || rm -rf  /var/cache/apt/archives /var/lib/apt/lists/*) \
+ && a2enmod authnz_ldap \
  && mkdir -p /var/cache/apache2/mod_auth_openidc/oidc-sessions /var/cache/apache2/twig /var/www/lib \
  && chown www-data:www-data /var/cache/apache2/mod_auth_openidc/oidc-sessions /var/cache/apache2/twig \
  && docker-php-ext-install pdo_mysql \
@@ -19,3 +20,4 @@ RUN cd /var/www && composer install
 COPY src /var/www/src
 COPY html /var/www/html
 COPY templates /var/www/templates
+COPY bin/update-ldap /usr/local/bin/
diff --git a/auth_openidc.conf b/auth_openidc.conf
index 63d422e..19db963 100644
--- a/auth_openidc.conf
+++ b/auth_openidc.conf
@@ -12,8 +12,10 @@
 
 <Location /admin>
     AuthType openid-connect
-    Require valid-user
     OIDCUnAuthAction auth true
+
+    AuthLDAPURL ldap://ldap.umich.edu/ou=People,dc=umich,dc=edu?uid?sub
+    Require ldap-group cn=ulib-dnd-cnm-admin,ou=User Groups,ou=Groups,dc=umich,dc=edu
 </Location>
 
 <Location /auth/openid_connect/callback>
diff --git a/bin/update-ldap b/bin/update-ldap
new file mode 100755
index 0000000..fa5f85c
--- /dev/null
+++ b/bin/update-ldap
@@ -0,0 +1,32 @@
+#!/bin/bash
+
+TMPFILE=$(mktemp -p /tmp "update.ldif.XXXXXXXX")
+
+username="$1"
+directory_file="$2"
+
+if [ x"$username" = x"" ] ; then
+  echo "usage: $0 <username> <staff-directory-json-file>"
+  echo
+  echo "<username> is your uniqname"
+  echo "<staff-directory-json-file> is https://staff.lib.umich.edu/staff-directory.json"
+  exit 1
+fi
+
+cat > ${TMPFILE} <<EOF
+dn: cn=ulib-dnd-cnm-admin,ou=User Groups,ou=Groups,dc=umich,dc=edu
+changetype: modify
+replace: member
+EOF
+
+for i in $(jq '.[] | .uniqname' "${directory_file}" | sed -e 's/"//g') ; do
+  echo "member: uid=$i,ou=People,dc=umich,dc=edu" >> $TMPFILE
+done
+
+ldapmodify \
+  -H ldap://ldap.umich.edu \
+  -f  "${TMPFILE}"\
+  -D "uid=${username},ou=People,dc=umich,dc=edu" \
+  -W
+
+rm "${TMPFILE}"