diff --git a/paris-container.nix b/paris-container.nix
index 8cb0a50..c38245c 100644
--- a/paris-container.nix
+++ b/paris-container.nix
@@ -1,4 +1,4 @@
-{ config, lib, pkgs, ... }:
+{ config, lib, pkgs, ... }@toplevel:
 
 with lib;
 let
@@ -65,6 +65,13 @@ in {
         default = 4389;
       };
 
+      access-group = mkOption {
+        type = str;
+        description = "Group to which users must belong for access.";
+        default = let ldapCfg = toplevel.config.fudo.paris-container.ldap;
+        in "cn=shell,${ldapCfg.group-ou},${ldapCfg.base}";
+      };
+
       domain = mkOption {
         type = str;
         description =
@@ -340,6 +347,8 @@ in {
                 ldap_group_object_class = "group";
                 ldap_group_name = "cn";
 
+                ldap_access_filter = "memberOf=${cfg.ldap.access-group}";
+
                 ldap_default_bind_dn = cfg.ldap.bind-dn;
                 ldap_default_authtok = "$LDAP_DEFAULT_AUTHTOKEN";
               };