Re: groupcmp fails during tunneled request
--- Begin Message --- Hello, Just to inform that I have solved the problem. Some parts of the ldap were not indexed properly so it cause some troubles with freeradius. Matthew Ivan Kalik a écrit : >> I fixed the SSL issue, restarted the server and the group check was >> working until now: *no huntgroup* for user >> Nothing has changed and the server has not been restarted. >> >> I just don't understand where the problem is as for the same user it's >> working in the first place, then after a few hours of work, it starts >> failing... without restarting the daemon. >> > > Debug ldap and see what is going on. For some reason you are loosing the > connection to ldap. > > Ivan Kalik > Kalik Informatika ISP > --- End Message --- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: groupcmp fails during tunneled request
Ivan Kalik a écrit : >> I stop the server and put it in debug mode: it works flawlessly!!! >> I stop the debug and restart freeradius, it works a while, then it >> starts failing again And I have nothing more in the logs than: >> >> Error: TLS Alert read:fatal:access denied >> > > Fix that. It works in debug mode because server is running as root. > > Ivan Kalik > Kalik Informatika ISP > > I fixed the SSL issue, restarted the server and the group check was working until now: *no huntgroup* for user Nothing has changed and the server has not been restarted. I just don't understand where the problem is as for the same user it's working in the first place, then after a few hours of work, it starts failing... without restarting the daemon. Matt - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: groupcmp fails during tunneled request
> I stop the server and put it in debug mode: it works flawlessly!!! > I stop the debug and restart freeradius, it works a while, then it > starts failing again And I have nothing more in the logs than: > > Error: TLS Alert read:fatal:access denied Fix that. It works in debug mode because server is running as root. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: groupcmp fails during tunneled request
Hello again, I'll try to be more specific so someone can give me an advice. Here is the thing: the server is running, and now the group check is failing since I can't be authorised because it says that I don't have a huntgroup (ie: no huntrgoup). On my ldap account, I do have them. I stop the server and put it in debug mode: it works flawlessly!!! I stop the debug and restart freeradius, it works a while, then it starts failing again And I have nothing more in the logs than: Auth: [preprocess] No huntgroup access: Error: Discarding duplicate request from client Error: WARNING: Unresponsive child for request 1953, in module preprocess component authorize and sometimes: Error: TLS Alert read:fatal:access denied Error: TLS_accept:failed in SSLv3 read client certificate A Error: rlm_eap: SSL error error:14094419:SSL routines:SSL3_READ_BYTES:tlsv1 alert access denied Error: SSL: SSL_read failed inside of TLS (-1), TLS session fails. I a bit confused as I can't see the group membership errors in debug as it doesn't occur. I guess the TLS alert is ome client with a wrong CA. Any help, suggestion will be really appreciated. Matthew Matthieu Lazaro a écrit : > Hello, > > I'm still having the issue. > It all works ok when I restart freeradius or when I run the debug then > it starts failing a while later. > I tried to increase the time out on ldap connexions.This did nothing. > > Any idea is welcome. > > Thanks, > > Matthew > > > Ivan Kalik a écrit : > >> I don't see anything wrong with that debug. It all looks as expected. >> >> Ivan Kalik >> Kalik Informatika ISP >> >> >> > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: groupcmp fails during tunneled request
Hello, I'm still having the issue. It all works ok when I restart freeradius or when I run the debug then it starts failing a while later. I tried to increase the time out on ldap connexions.This did nothing. Any idea is welcome. Thanks, Matthew Ivan Kalik a écrit : > > I don't see anything wrong with that debug. It all looks as expected. > > Ivan Kalik > Kalik Informatika ISP > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: groupcmp fails during tunneled request
> > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html I don't see anything wrong with that debug. It all looks as expected. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: groupcmp fails during tunneled request
--- Begin Message --- Ivan Kalik a écrit : >> Ivan Kalik a écrit : >> I am having an issue with the groups again. WIFINAS-Identifier == "accessPoint-Manager" Ldap-Group == wireless, Ldap-Group == wireless2, When I have the attribute wireless it works without a flaw, if I have both, it's ok, if I have *ONLY* wireless2 it says "no huntgroup " and I'm rejected. >>> User is not in wireless2 group in ldap? >>> >>> Ivan Kalik >>> Kalik Informatika ISP >>> >>> >>> >> The user *IS* in the wireless2 group in LDAP... That's why I don't >> understand why it says no huntgroup because wireless works. >> I was thinking about the syntaxe maybe ( "," "==") >> >> > > Is that user entry or huntgroup entry? In user entry Ldap-Group should be > on the check line. Post the debug. > > > Ivan Kalik > Kalik Informatika ISP > Hello and thanks for the prompt response. This is a huntgroup entry: WIFINAS-Identifier == "accessPoint-Manager" Ldap-Group == wireless, Ldap-Group == wireless2, I really wanted to post the debug of a non working configuration with those groups, but it seems to work now since I have put it in debug mode And I haven't changed anything on the configuration since it didn't work. SO something is really weird. I'll give you the debug since I think some stuff in it is really strange anyway. Best Regards, Matthew rad_recv: Access-Request packet from host {nas-...@} port 1645, id=142, length=156 User-Name = "ldap-test-user" Framed-MTU = 1400 Called-Station-Id = "00-1E-13-6E-E7-F0" Calling-Station-Id = "00-21-E9-AD-65-C9" Service-Type = Login-User Message-Authenticator = x EAP-Message = NAS-Port-Type = Wireless-802.11 NAS-Port = 74057 NAS-Port-Id = "74057" NAS-IP-Address = {nas-...@} NAS-Identifier = "test-access-point" +- entering group authorize {...} rlm_ldap: Entering ldap_groupcmp() [preprocess]expand: dc=companyname,dc=com -> dc=companyname,dc=com [preprocess] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [preprocess]expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=ldap-test-user) rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to radiusserver.companyname.fr:389, authentication 0 rlm_ldap: starting TLS rlm_ldap: bind as uid=radtest,ou=accounts,dc=companyname,dc=com/xxx to radiusserver.companyname.fr:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in dc=companyname,dc=com, with filter (uid=ldap-test-user) rlm_ldap: ldap_release_conn: Release Id: 0 [preprocess]expand: (|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn}))) -> (|(&(objectClass=GroupOfNames)(member=))(&(objectClass=GroupOfUniqueNames)(uniquemember=))) rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=companyname,dc=com, with filter (&(radiusGroupName=wireless)(|(&(objectClass=GroupOfNames)(member=))(&(objectClass=GroupOfUniqueNames)(uniquemember= rlm_ldap: object not found rlm_ldap: ldap_release_conn: Release Id: 0 rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in uid=ldap-test-user,ou=people,dc=companyname,dc=com, with filter (objectclass=*) rlm_ldap::groupcmp: Group wireless not found or user not a member rlm_ldap: ldap_release_conn: Release Id: 0 rlm_ldap: Entering ldap_groupcmp() [preprocess]expand: dc=companyname,dc=com -> dc=companyname,dc=com [preprocess]expand: (|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn}))) -> (|(&(objectClass=GroupOfNames)(member=))(&(objectClass=GroupOfUniqueNames)(uniquemember=))) rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=companyname,dc=com, with filter (&(radiusGroupName=wireless2)(|(&(objectClass=GroupOfNames)(member=))(&(objectClass=GroupOfUniqueNames)(uniquemember= rlm_ldap: object not found rlm_ldap: ldap_release_conn: Release Id: 0 rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in uid=ldap-test-user,ou=people,dc=companyname,dc=com, with filter (objectclass=*) rlm_ldap::ldap_groupcmp: User found in group wireless2 rlm_ldap: ldap_release_conn: Release Id: 0 ++[preprocess] returns ok [auth_log] expand: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/{nas-...@}/auth-detail-20090630 [auth_log] /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/f
Re: groupcmp fails during tunneled request
Ivan Kalik a écrit : >> I am having an issue with the groups again. >> >> WIFINAS-Identifier == "accessPoint-Manager" >> Ldap-Group == wireless, >> Ldap-Group == wireless2, >> >> When I have the attribute wireless it works without a flaw, if I have >> both, it's ok, if I have *ONLY* wireless2 it says "no huntgroup " and I'm >> rejected. >> > > User is not in wireless2 group in ldap? > > Ivan Kalik > Kalik Informatika ISP > > The user *IS* in the wireless2 group in LDAP... That's why I don't understand why it says no huntgroup because wireless works. I was thinking about the syntaxe maybe ( "," "==") - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: groupcmp fails during tunneled request
> I am having an issue with the groups again. > > WIFINAS-Identifier == "accessPoint-Manager" > Ldap-Group == wireless, > Ldap-Group == wireless2, > > When I have the attribute wireless it works without a flaw, if I have > both, it's ok, if I have *ONLY* wireless2 it says "no huntgroup " and I'm > rejected. User is not in wireless2 group in ldap? Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: groupcmp fails during tunneled request
Ivan Kalik a écrit : >> Content of my huntgroup file. >> WIFINAS-Identifier == "accessPoint-Manager" >> Ldap-Group == wireless, >> Ldap-Group == wireless2, >> REM NAS-IP-Address == 10.44.12.2 >> Ldap-Group == REM >> >> > > OK. > > >> Content of my user file: >> DEFAULT Framed-Protocol == PPP >> Framed-Protocol = PPP, >> Framed-Compression = Van-Jacobson-TCP-IP >> DEFAULT Hint == "CSLIP" >> Framed-Protocol = SLIP, >> Framed-Compression = Van-Jacobson-TCP-IP >> DEFAULT Hint == "SLIP" >> Framed-Protocol = SLIP >> DEFAULT Ldap-Group == BANNED , Auth-Type := Reject >> Reply-Message = "Account disabled. Please call the helpdesk." >> DEFAULT Huntgroup-Name == WIFI, Auth-Type = eap >> Fall-Through = no, >> > > That should match (remove that Auth-Type from this and REM entry). But ... > > >> DEFAULT Huntgroup-Name == REM, Auth-Type = ldap >> Fall-Through = no, >> DEFAULT Auth-Type := Reject >> Reply-Message = "Please call the helpdesk." >> >> > ... > >> server inner-tunnel { >> +- entering group authorize {...} >> ++[mschap] returns noop >> [suffix] No '@' in User-Name = "alicebob", looking up realm NULL >> [suffix] No such realm "NULL" >> ++[suffix] returns noop >> [eap] EAP packet type response id 7 length 11 >> [eap] No EAP Start, assuming it's an on-going EAP conversation >> ++[eap] returns updated >> rlm_ldap: Entering ldap_groupcmp() >> [files] expand: dc=companyname,dc=com -> dc=companyname,dc=com >> > > ... you haven't enabled preprocess in inner-tunnel server. Huntgroups are > processed in preprocess. > > Ivan Kalik > Kalik Informatika ISP > > Hello Again, I am having an issue with the groups again. WIFINAS-Identifier == "accessPoint-Manager" Ldap-Group == wireless, Ldap-Group == wireless2, When I have the attribute wireless it works without a flaw, if I have both, it's ok, if I have *ONLY* wireless2 it says "no huntgroup " and I'm rejected. Any ideas? Best Regards, Matthew - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: groupcmp fails during tunneled request
Ivan Kalik a écrit : >> I'm having an issue with the group check (ldap_groupcmp). >> >> Everything is fine until the request is tunnelled, and I can't find out >> why my user is rejected there >> It seems that he ends in this section during this phase: >> DEFAULT Ldap-Group == BANNED , Auth-Type := Reject >> Reply-Message = "Account disabled. Please call the helpdesk." >> >> > > No. That didn't match. > > >> Tue Apr 28 11:42:35 2009 : Debug: rlm_ldap::groupcmp: Group BANNED not >> found or user not a member >> > > See. > > >> Tue Apr 28 11:42:35 2009 : Debug: rlm_ldap: ldap_release_conn: Release Id: >> 0 >> Tue Apr 28 11:42:35 2009 : Info: [files] users: Matched entry DEFAULT at >> line 15 >> > > But something else did. What is on line 15 in users file? > DEFAULT Auth-Type := Reject Reply-Message = "Please call the helpdesk." > >> Tell me if you need more debug output... >> > > We do. This doesn't show anything. Post the debug with whole inner tunnel > exchange. > > >> It was working perfectly before I introduced the group check using the >> huntgroups. >> >> > > Huntgroups? > > > Content of my huntgroup file. WIFINAS-Identifier == "accessPoint-Manager" Ldap-Group == wireless, Ldap-Group == wireless2, REM NAS-IP-Address == 10.44.12.2 Ldap-Group == REM Content of my user file: DEFAULT Framed-Protocol == PPP Framed-Protocol = PPP, Framed-Compression = Van-Jacobson-TCP-IP DEFAULT Hint == "CSLIP" Framed-Protocol = SLIP, Framed-Compression = Van-Jacobson-TCP-IP DEFAULT Hint == "SLIP" Framed-Protocol = SLIP DEFAULT Ldap-Group == BANNED , Auth-Type := Reject Reply-Message = "Account disabled. Please call the helpdesk." DEFAULT Huntgroup-Name == WIFI, Auth-Type = eap Fall-Through = no, DEFAULT Huntgroup-Name == REM, Auth-Type = ldap Fall-Through = no, DEFAULT Auth-Type := Reject Reply-Message = "Please call the helpdesk." Invalid operator for item NAS-Identifier: reverting to '==' ==> I have corrected this now Full Debug: rad_recv: Access-Request packet from host 10.0.0.2 port 32769, id=13, length=219 User-Name = "alicebob" Calling-Station-Id = "00-13-02-25-CF-40" Called-Station-Id = "00-1E-13-1C-87-00:WiFi-TEST" NAS-Port = 1 NAS-IP-Address = 192.168.225.8 NAS-Identifier = "accessPoint-Manager" Airespace-Wlan-Id = 2 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "502" EAP-Message = 0x0207002219001703010017d6d3387b7eed6b4b21f289092b99288904cc4970a60bfc State = 0x6416d65c6011cf1de638dad1d46f61b2 Message-Authenticator = 0x0b5692123f68b20d631e3b7b45b39069 +- entering group authorize {...} Invalid operator for item NAS-Identifier: reverting to '==' rlm_ldap: Entering ldap_groupcmp() [preprocess]expand: dc=companyname,dc=com -> dc=companyname,dc=com [preprocess] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [preprocess]expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=alicebob) rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=companyname,dc=com, with filter (uid=alicebob) rlm_ldap: ldap_release_conn: Release Id: 0 [preprocess]expand: (|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn}))) -> (|(&(objectClass=GroupOfNames)(member=))(&(objectClass=GroupOfUniqueNames)(uniquemember=))) rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=companyname,dc=com, with filter (&(radiusGroupName=wireless)(|(&(objectClass=GroupOfNames)(member=))(&(objectClass=GroupOfUniqueNames)(uniquemember= rlm_ldap: object not found or got ambiguous search result rlm_ldap: ldap_release_conn: Release Id: 0 rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in uid=alicebob,ou=companystaff,dc=companyname,dc=com, with filter (objectclass=*) rlm_ldap::ldap_groupcmp: User found in group wireless rlm_ldap: ldap_release_conn: Release Id: 0 ++[preprocess] returns ok [auth_log] expand: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/10.0.0.2/auth-detail-20090428 [auth_log] /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/10.0.0.2/auth-detail-20090428 [auth_log] expand: %t -> Tue Apr 28 16:10:52 2009 ++[auth_log] returns ok ++[mschap] returns noop [suffix] No '@' in User-Name = "alicebob", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 7 length 34 [eap] Cont
Re: groupcmp fails during tunneled request
> I'm having an issue with the group check (ldap_groupcmp). > > Everything is fine until the request is tunnelled, and I can't find out > why my user is rejected there > It seems that he ends in this section during this phase: > DEFAULT Ldap-Group == BANNED , Auth-Type := Reject > Reply-Message = "Account disabled. Please call the helpdesk." > No. That didn't match. > Tue Apr 28 11:42:35 2009 : Debug: rlm_ldap::groupcmp: Group BANNED not > found or user not a member See. > Tue Apr 28 11:42:35 2009 : Debug: rlm_ldap: ldap_release_conn: Release Id: > 0 > Tue Apr 28 11:42:35 2009 : Info: [files] users: Matched entry DEFAULT at > line 15 But something else did. What is on line 15 in users file? > Tell me if you need more debug output... We do. This doesn't show anything. Post the debug with whole inner tunnel exchange. > It was working perfectly before I introduced the group check using the > huntgroups. > Huntgroups? Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
groupcmp fails during tunneled request
Hello list, I'm having an issue with the group check (ldap_groupcmp). Everything is fine until the request is tunnelled, and I can't find out why my user is rejected there It seems that he ends in this section during this phase: DEFAULT Ldap-Group == BANNED , Auth-Type := Reject Reply-Message = "Account disabled. Please call the helpdesk." Even if he has the correct group in the LDAP. This was working on my test bed. The configuration seems to be the same, the only change is the NAS type ( I have tested that on HP switches, and now it's using a Cisco Wireless controller). It was working perfectly before I introduced the group check using the huntgroups. I'm using version 2.1.1 of freeradius on an Debian etch box. Here is the part of the debug where it fails. Sending tunneled request EAP-Message = 0x020f000b01676269676f74 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "alicebob" Calling-Station-Id = "00-13-02-25-FF-40" Called-Station-Id = "00-1E-13-1D-85-70:WiFi-TEST" NAS-Port = 1 NAS-IP-Address = 192.168.226.8 NAS-Identifier = "accessPoint-Manager" Airespace-Wlan-Id = 2 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "502" server inner-tunnel { Tue Apr 28 11:42:35 2009 : Info: +- entering group authorize {...} Tue Apr 28 11:42:35 2009 : Info: ++[mschap] returns noop Tue Apr 28 11:42:35 2009 : Info: [suffix] No '@' in User-Name = "alicebob", looking up realm NULL Tue Apr 28 11:42:35 2009 : Info: [suffix] No such realm "NULL" Tue Apr 28 11:42:35 2009 : Info: ++[suffix] returns noop Tue Apr 28 11:42:35 2009 : Info: [eap] EAP packet type response id 15 length 11 Tue Apr 28 11:42:35 2009 : Info: [eap] No EAP Start, assuming it's an on-going EAP conversation Tue Apr 28 11:42:35 2009 : Info: ++[eap] returns updated Tue Apr 28 11:42:35 2009 : Debug: rlm_ldap: Entering ldap_groupcmp() Tue Apr 28 11:42:35 2009 : Info: [files]expand: dc=companyname,dc=com -> dc=companyname,dc=com Tue Apr 28 11:42:35 2009 : Info: [files] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details Tue Apr 28 11:42:35 2009 : Info: [files]expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=alicebob) Tue Apr 28 11:42:35 2009 : Debug: rlm_ldap: ldap_get_conn: Checking Id: 0 Tue Apr 28 11:42:35 2009 : Debug: rlm_ldap: ldap_get_conn: Got Id: 0 Tue Apr 28 11:42:35 2009 : Debug: rlm_ldap: performing search in dc=companyname,dc=com, with filter (uid=alicebob) Tue Apr 28 11:42:35 2009 : Debug: rlm_ldap: ldap_release_conn: Release Id: 0 Tue Apr 28 11:42:35 2009 : Info: [files]expand: (|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn}))) -> (|(&(objectClass=GroupOfNames)(member=))(&(objectClass=GroupOfUniqueNames)(uniquemember=))) Tue Apr 28 11:42:35 2009 : Debug: rlm_ldap: ldap_get_conn: Checking Id: 0 Tue Apr 28 11:42:35 2009 : Debug: rlm_ldap: ldap_get_conn: Got Id: 0 Tue Apr 28 11:42:35 2009 : Debug: rlm_ldap: performing search in dc=companyname,dc=com, with filter (&(radiusGroupName=BANNED)(|(&(objectClass=GroupOfNames)(member=))(&(objectClass=GroupOfUniqueNames)(uniquemember= Tue Apr 28 11:42:35 2009 : Debug: rlm_ldap: object not found or got ambiguous search result Tue Apr 28 11:42:35 2009 : Debug: rlm_ldap: ldap_release_conn: Release Id: 0 Tue Apr 28 11:42:35 2009 : Debug: rlm_ldap: ldap_get_conn: Checking Id: 0 Tue Apr 28 11:42:35 2009 : Debug: rlm_ldap: ldap_get_conn: Got Id: 0 Tue Apr 28 11:42:35 2009 : Debug: rlm_ldap: performing search in uid=alicebob,ou=people,dc=companyname,dc=com, with filter (objectclass=*) Tue Apr 28 11:42:35 2009 : Debug: rlm_ldap::groupcmp: Group BANNED not found or user not a member Tue Apr 28 11:42:35 2009 : Debug: rlm_ldap: ldap_release_conn: Release Id: 0 Tue Apr 28 11:42:35 2009 : Info: [files] users: Matched entry DEFAULT at line 15 Tue Apr 28 11:42:35 2009 : Info: ++[files] returns ok Tell me if you need more debug output... Best regards, Matt - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html