diff -Nur --no-dereference e-smith-ldap-5.6.0.old/root/sbin/e-smith/ldif-fix e-smith-ldap-5.6.0/root/sbin/e-smith/ldif-fix
--- e-smith-ldap-5.6.0.old/root/sbin/e-smith/ldif-fix	2022-04-17 23:45:45.494000000 -0400
+++ e-smith-ldap-5.6.0/root/sbin/e-smith/ldif-fix	2022-04-17 23:47:33.914000000 -0400
@@ -74,6 +74,7 @@
 $data->{"cn=nobody,$groupou,$basedn"}->{objectclass} = [ qw/posixGroup/ ];
 $data->{"uid=www,$userou,$basedn"}->{objectclass} = [ qw/account/ ];
 $data->{"cn=www,$groupou,$basedn"} = { objectclass => [ qw/posixGroup/ ], memberuid   => [ qw/admin/ ] };
+$data->{"cn=rsshusers,$groupou,$basedn"}->{objectclass} = [ qw/posixGroup/ ];
 $data->{"cn=shared,$groupou,$basedn"} = {
     objectclass => [ qw/posixGroup mailboxRelatedObject/ ],
     mail        => "everyone\@$domain",
@@ -107,6 +108,9 @@
         # users/ibays need to be a member of shared
         push @{$data->{"cn=shared,$groupou,$basedn"}->{memberuid}}, $key if $type =~ /^(user|ibay)$/ || $key eq 'admin';
 
+        # users need to be a member of rsshusers if their shell is /usr/bin/rssh
+        push @{$data->{"cn=rsshusers,$groupou,$basedn"}->{memberuid}}, $key if ($type =~ /^(user)$/ || $key eq 'admin') && (($acct->prop('Shell') || '/usr/bin/rssh') eq '/usr/bin/rssh');
+
         if ($auth ne 'enabled') {
             # Allow removal of shadow properties
             push @{$data->{$dn}->{_delete}->{objectclass}}, 'shadowAccount';