It works. It just doesn't work as expected. In normal mode radius.log shows apparently working binds on startup: Thu Jan 9 13:33:06 2014 : Info: rlm_ldap (ldap_xxxxx): Opening additional connection (0) Thu Jan 9 13:33:06 2014 : Info: rlm_ldap (ldap_xxxxx): Opening additional connection (1) Thu Jan 9 13:33:06 2014 : Info: rlm_ldap (ldap_xxxxx): Opening additional connection (2) Thu Jan 9 13:33:06 2014 : Info: rlm_ldap (ldap_yyyyy): Opening additional connection (0) Thu Jan 9 13:33:06 2014 : Info: rlm_ldap (ldap_yyyyy): Opening additional connection (1) Thu Jan 9 13:33:06 2014 : Info: rlm_ldap (ldap_yyyyy): Opening additional connection (2) radtest with a user from "users" returns Access-Accept But radiusd -X is failing: ... # Skipping instantiation of ldap_yyyyy ldap ldap_yyyyy { ... } ... Ready to process requests rad_recv: Access-Request packet from host 127.0.0.1 port 46825, id=153, length=92 User-Name = 'thisuser' User-Password = 'thatpassword' NAS-IP-Address = 203.0.113.1 NAS-Port = 1812 Message-Authenticator = 0x96838d44a607086ec3af35a2d39aa6e5 (0) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default (0) authorize { (0) filter_username filter_username { (0) ? if (!User-Name) (0) ? if (!User-Name) -> FALSE (0) ? if (User-Name != "%{tolower:%{User-Name}}") (0) expand: "%{tolower:%{User-Name}}" -> 'thisuser' (0) ? if (User-Name != "%{tolower:%{User-Name}}") -> FALSE (0) ? if (User-Name =~ / /) (0) ? if (User-Name =~ / /) -> FALSE (0) ? if (User-Name =~ /@.*@/ ) (0) ? if (User-Name =~ /@.*@/ ) -> FALSE (0) ? if (User-Name =~ /\\.\\./ ) (0) ? if (User-Name =~ /\\.\\./ ) -> FALSE (0) ? if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) (0) ? if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (0) ? if (User-Name =~ /\\.$/) (0) ? if (User-Name =~ /\\.$/) -> FALSE (0) ? if (User-Name =~ /@\\./) (0) ? if (User-Name =~ /@\\./) -> FALSE (0) } # filter_username filter_username = notfound (0) [preprocess] = ok (0) [chap] = noop (0) [mschap] = noop (0) [digest] = noop (0) suffix : No '@' in User-Name = "thisuser", looking up realm NULL (0) suffix : Found realm "NULL" (0) suffix : Adding Stripped-User-Name = "thisuser" (0) suffix : Adding Realm = "NULL" (0) suffix : Authentication realm is LOCAL (0) [suffix] = ok (0) eap : No EAP-Message, not doing EAP (0) [eap] = noop (0) files : users: Matched entry thisuser at line 108 (0) [files] = ok (0) ERROR: ldap_yyyyy : All ldap connections are in use (0) [ldap_yyyyy] = fail (0) } # authorize = fail (0) Using Post-Auth-Type Reject (0) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (0) Post-Auth-Type REJECT { (0) attr_filter.access_reject : expand: "%{User-Name}" -> 'thisuser' (0) attr_filter.access_reject : Matched entry DEFAULT at line 11 (0) [attr_filter.access_reject] = updated (0) eap : Request didn't contain an EAP-Message, not inserting EAP-Failure (0) [eap] = noop (0) remove_reply_message_if_eap remove_reply_message_if_eap { (0) ? if (reply:EAP-Message && reply:Reply-Message) (0) ? if (reply:EAP-Message && reply:Reply-Message) -> FALSE (0) else else { (0) [noop] = noop (0) } # else else = noop (0) } # remove_reply_message_if_eap remove_reply_message_if_eap = noop (0) } # Post-Auth-Type REJECT = updated (0) Finished request 0. Waking up in 0.3 seconds. Waking up in 0.6 seconds. (0) Sending delayed reject Sending Access-Reject of id 153 from 127.0.0.1 port 1812 to 127.0.0.1 port 46825 Reply-Message = 'Rejected' Waking up in 4.9 seconds. (0) Cleaning up request packet ID 153 with timestamp +2 Ready to process requests Any idea about why this is happening? Regards.