Looking for a bit of advice, I am starting to think I am chasing the impossible and will have to start to use Realms or proxies to resolve this issue. FreeRADIUS 2.1.7 I have multiple LDAP sources, with different suffixes and I have to take into account the possibility that there may be username overlap between the two. AA from either one should be OK. I have two LDAP modules configured. Say uk and fr. I am happy that the authorize section works: authorize { uk { fail = 2 notfound = 2 ok = 1 } fr { fail = 2 notfound = 2 ok = 1 } } This gives an authorization if the user exists in either of the LDAP sources. Auth-Type is being set to LDAP authenticate { Auth-Type LDAP { uk { reject = 1 fail = 1 notfound = 1 ok = return } fr { reject = 1 fail = 1 notfound = 1 ok = return } } What I hoped this would do is return OK if authentication against either of the sources worked. This is similar to the duplicate-users scenario in many ways I suppose. However (output below) it attempts to do the authentication against both LDAP sources using the first suffix from the authorisation or carried over from the first Authentication attempt (I don't know which). [uk] performing user authorization for user [uk] expand: %{Stripped-User-Name} -> [uk] expand: %{User-Name} -> user [uk] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=user) [uk] expand: ou=people,dc=uk,dc=com -> ou=people,dc=uk,dc=com rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to 127.0.0.1:389, authentication 0 rlm_ldap: bind as STUFF/STUFF to 127.0.0.1:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=people,dc=uk,dc=com, with filter (uid=user) [uk] looking for check items in directory... [uk] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [uk] Setting Auth-Type = LDAP [uk] user user authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[uk] returns ok ** It has found a user "user" in the correct UK suffix, so that is as expected. [fr] performing user authorization for user [fr] expand: %{Stripped-User-Name} -> [fr] expand: %{User-Name} -> user [fr] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=user) [fr] expand: ou=people,dc=fr,dc=com -> ou=people,dc=fr,dc=com rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to 192.168.0.2:389, authentication 0 rlm_ldap: bind as STUFF/STUFF to 192.168.0.2:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=people,dc=fr,dc=com, with filter (uid=user) [fr] looking for check items in directory... [fr] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [fr] user user authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[fr] returns ok ** It has found a user "user" in the correct FR suffix, so that is good. ** Aggregate outcome of the authorise group is "ok". All I need to do is get a successful Auth against either one of them. ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = LDAP +- entering group LDAP {...} [uk] login attempt by "user" with password "stuff" [uk] user DN: uid=user,ou=people,dc=uk,dc=com rlm_ldap: (re)connect to 127.0.0.1:389, authentication 1 rlm_ldap: bind as uid=user,ou=people,dc=uk,dc=com/stuff to 127.0.0.1:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind failed with invalid credentials ++[uk] returns reject ** This is OK - this user "user" is not the UK one, they are the FR one. [fr] login attempt by "user" with password "stuff" [fr] user DN: uid=user,ou=uk,dc=com rlm_ldap: (re)connect to 192.168.0.2:389, authentication 1 rlm_ldap: bind as uid=user,ou=people,dc=uk,dc=com/stuff to 192.168.0.2:389 rlm_ldap: waiting for bind result ... rlm_ldap: uid=user,ou=people,dc=uk,dc=com bind to 192.168.0.2:389 failed No such object [fr] ldap_connect() failed ++[fr] returns fail Failed to authenticate the user. ** It has attempted to bind to LDAP using the UK suffix, not the FR one, so fails where it should not. Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> user attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 43 to 127.0.0.1 port 59453 Waking up in 4.9 seconds. Cleaning up request 0 ID 43 with timestamp +3 Ready to process requests.