Here's the "freeradius -X" (somehow it isn't radiusd -X on my side) output when executing "radtest $USER $PASS 127.0.0.1 0 testing123" I replaced sensitive data with names like $USER or $DOMAINCONTROLLERIP. The domaincontroller also works as an LDAP.
Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1 port 54450, id=184, length=86 User-Name = "$USER" User-Password = "$PASS" NAS-IP-Address = 127.0.1.1 NAS-Port = 0 Message-Authenticator = 0xe0d8a8de27b928c14388759eebc06aaf # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "$USER", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop [eap] No EAP-Message, not doing EAP ++[eap] = noop [ldap] Entering ldap_groupcmp() [files] expand: dc=$DOMAIN,dc=local -> dc=$DOMAIN,dc=local [files] expand: %{Stripped-User-Name} -> [files] ... expanding second conditional [files] expand: %{User-Name} -> $USER [files] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=$USER) [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] attempting LDAP reconnection [ldap] (re)connect to $DOMAINCONTROLLERIP:389, authentication 0 [ldap] bind as / to $DOMAINCONTROLLERIP:389 [ldap] waiting for bind result ... [ldap] Bind was successful [ldap] performing search in dc=$DOMAIN,dc=local, with filter (uid=$USER) WARNING: Please set 'chase_referrals=yes' and 'rebind=yes' WARNING: See the ldap module configuration for details [ldap] ldap_search() failed: Operations error rlm_ldap::ldap_groupcmp: search failed [ldap] ldap_release_conn: Release Id: 0 ++[files] = noop [ldap] performing user authorization for $USER [ldap] expand: %{Stripped-User-Name} -> [ldap] ... expanding second conditional [ldap] expand: %{User-Name} -> $USER [ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=$USER) [ldap] expand: dc=$DOMAIN,dc=local -> dc=$DOMAIN,dc=local [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] attempting LDAP reconnection [ldap] closing existing LDAP connection [ldap] (re)connect to $DOMAINCONTROLLERIP:389, authentication 0 [ldap] bind as / to $DOMAINCONTROLLERIP:389 [ldap] waiting for bind result ... [ldap] Bind was successful [ldap] performing search in dc=$DOMAIN,dc=local, with filter (uid=$USER) WARNING: Please set 'chase_referrals=yes' and 'rebind=yes' WARNING: See the ldap module configuration for details [ldap] ldap_search() failed: Operations error [ldap] search failed [ldap] ldap_release_conn: Release Id: 0 ++[ldap] = fail +} # group authorize = fail Invalid user: [$USER] (from client localhost port 0) Using Post-Auth-Type REJECT # Executing group from file /etc/freeradius/sites-enabled/default +group REJECT { [attr_filter.access_reject] expand: %{User-Name} -> $USER attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] = updated +} # group REJECT = updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 184 to 127.0.0.1 port 54450 Waking up in 4.9 seconds. Cleaning up request 0 ID 184 with timestamp +76 Ready to process requests.
As I read the log part
[ldap] ldap_search() failed: Operations error [ldap] search failed [ldap] ldap_release_conn: Release Id: 0 ++[ldap] = fail +} # group authorize = fail Invalid user: [$USER] (from client localhost port 0)
I think the LDAP doesn't replies with an accepted user? I think "[ldap] Bind was successful" means that the server is reachable and replies at least to a connection handshake