Hi Alan,
The config you posted should work. If the information is found in ldap server 1, it returns, and doesn't check ldap server 2. It worked fine in old v 1.1, but not in v3.0. Now, with v3.0.10, all ldap subtrees are checked anyway.
Well... read the debug log. Change the configuration to return on "updated", instead of "ok". Alan DeKok.
Now the first match enters, but fails due the lack of "Auth-Type", because we do no reach 'files'. "(0) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject" If I move 'files', containing " DEFAULT Auth-Type := Accept (..)" , on top it does the trick, but is not very elegant. Where do I force the "Accept" in a more professional way without relay on 'files' ? /etc/raddb/sites-available/default (...) authorize { (..) # Moving "files" here does the trick..... --> "DEFAULT Auth-Type := Accept ..." but is not very elegant. files VLAN1 { #ok = return updated = return } VLAN2 { # ok = return updated = return } (...) ##files old files location. (...) } #radius -X (..) (0) [VLAN1] = notfound rlm_ldap (VLAN2): Reserved connection (0) (0) VLAN2: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) (0) VLAN2: --> (uid=010101010101) (0) VLAN2: Performing search in "ou=VLAN2,ou=VLANS,dc=acme,dc=com" with filter "(uid=010101010101)", scope "sub" (0) VLAN2: Waiting for search result... (0) VLAN2: User object found at DN "uid=010101010101,ou=VLAN2,ou=VLANS,dc=acme,dc=com" (0) VLAN2: Processing user attributes (0) VLAN2: control:Password-With-Header += '010101010101' (0) VLAN2: reply:Tunnel-Private-Group-ID := '3002' (0) VLAN2: reply::Extreme-CLI-Authorization := Disabled (0) VLAN2: reply::Extreme-Netlogin-Only := Enabled (0) VLAN2: reply::Extreme-Netlogin-Vlan := 'VLAN2' (0) VLAN2: reply:Termination-Action := RADIUS-Request (0) VLAN2: reply:Session-Timeout := 7200 rlm_ldap (VLAN2): Released connection (0) rlm_ldap (VLAN2): Need 5 more connections to reach 10 spares rlm_ldap (VLAN2): Opening additional connection (5), 1 of 27 pending slots used rlm_ldap (VLAN2): Connecting to ldap://127.0.0.1:389 rlm_ldap (VLAN2): Waiting for bind result... rlm_ldap (VLAN2): Bind successful (0) [VLAN2] = updated (0) } # authorize = updated (0) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject <<<<<<----- (0) Failed to authenticate the user (0) Login incorrect (No Auth-Type found: rejecting the user via Post-Auth-Type = Reject): [010101010101] (from client localhost port 0) (...) Regards. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html