Ok, I'm now one step closer. Mearl's solution worked somewhat. Here is the output from the debug:
-----snip----- rlm_ldap: - authorize rlm_ldap: performing user authorization for gwaccesspo1 radius_xlat: '(cn=gwaccesspo1)' radius_xlat: 'o=services' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in o=services, with filter (cn=gwaccesspo1) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user gwaccesspo1 authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 3 modcall: group authorize returns ok for request 3 rad_check_password: Found Auth-Type LDAP auth: type "LDAP" Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 3 rlm_ldap: - authenticate rlm_ldap: login attempt by "gwaccesspo1" with password "<password>" rlm_ldap: user DN: cn=gwaccessPO1,ou=GW,o=Services rlm_ldap: (re)connect to 10.254.8.25:389, authentication 1 rlm_ldap: bind as cn=gwaccessPO1,ou=GW,o=Services/<password> to 10.254.8.25:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind failed with invalid credentials rlm_ldap: NDS error: failed authentication (-669) -----snip----- To contrast, here is the output from debug when I attempt to authenticate a user in the root context: -----snip----- rlm_ldap: - authorize rlm_ldap: performing user authorization for zentest radius_xlat: '(cn=zentest)' radius_xlat: 'o=services' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in o=services, with filter (cn=zentest) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user zentest authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 2 modcall: group authorize returns ok for request 2 rad_check_password: Found Auth-Type LDAP auth: type "LDAP" Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 2 rlm_ldap: - authenticate rlm_ldap: login attempt by "zentest" with password "<password>" rlm_ldap: user DN: cn=zentest,o=Services rlm_ldap: (re)connect to 10.254.8.25:389, authentication 1 rlm_ldap: bind as cn=zentest,o=Services/<password> to 10.254.8.25:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: user zentest authenticated succesfully -----snip----- Thanks in advance, Josh On Tuesday, July 19th, Mearl said: > Check the filter statement in the ldap portion of radiusd.conf. It's searching > on "uid" which in eDirectory is an integer field and isn't populated by > default. > > Change the filter to filter = "(cn=%{Stripped-User-Name:-%{User-Name}})" and > try > it. That will get you past the "object not found" message. It will then be > able > to return the fully qualified DN of the user. > > You can search on "cn" or any other ldap field that contains a unique ID. > We're > probably going to use uniqueID - the newer user creation API's populate it by > default - in our environment because iPrint requires it. > > Mearl - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html