Hello Everyone, Before proceeding further I'm going to describe shortly what I want to do and what I did so far. Initially the requirement was to pull some authentication data from an LDAP server so that we can make some custom equipments to authenticate those LDAP users. These equipments can use only radius for authentication. This works just fine. Later the requirement was changed and I was asked to do some privilege separation based on the group each LDAP user is in. So it seemed to be easier just to map the LDAP gidNumber entry for each user to a radius check item: /etc/raddb/ldap.attrmap:checkItem Group-ID gidNumber /etc/raddb/dictionary:ATTRIBUTE Group-ID 3000 integer So in /etc/raddb/users I added something like DEFAULT Auth-Type = LDAP Service-Type = Login, Fall-Through = Yes DEFAULT Group-ID == 100 Service-Type := Shell-User DEFAULT Group-ID == 101 Service-Type := Dialout-Framed-User The problem is that the Service-Type never changes because the Group-ID doesn't match any of those checks. It remains set to the value (Login) I've set as default at the beginning of the file. However, when running the radius server in debug mode, I can see that the Group-ID is set correctly for each authenticated user: rlm_ldap: Adding gidNumber as Group-ID, value 100 & op=21 ...but I'm not sure if it's exported (or even supposed to be) out from rlm_ldap. The freeradius version is 1.1.3 (freeradius-1.1.3-1.6.el5). I am inserting below the entire output of the radius server during an authentication/authorization attempt: rad_recv: Access-Request packet from host 127.0.0.1:44291, id=235, length=57 User-Name = "testuser" User-Password = "testpassword" NAS-IP-Address = 255.255.255.255 NAS-Port = 0 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "testuser", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 0 users: Matched entry DEFAULT at line 6 modcall[authorize]: module "files" returns ok for request 0 modcall: entering group redundant for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for testuser radius_xlat: '(&(objectClass=posixAccount)(uid=testuser))' radius_xlat: 'dc=mydomain,dc=com' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to ldapserver.mydomain.com:389, authentication 0 rlm_ldap: setting TLS CACert File to /usr/share/ssl/certs/mydomain-CA.crt rlm_ldap: setting TLS CACert Directory to /usr/share/ssl/certs/ rlm_ldap: starting TLS request done: ld 0xb8b6c708 msgid 1 rlm_ldap: bind as / to ldapserver.mydomain.com:389 rlm_ldap: waiting for bind result ... request done: ld 0xb8b6c708 msgid 2 rlm_ldap: Bind was successful rlm_ldap: performing search in dc=mydomain,dc=com, with filter (&(objectClass=posixAccount)(uid=testuser)) request done: ld 0xb8b6c708 msgid 3 rlm_ldap: looking for check items in directory... rlm_ldap: Adding gidNumber as Group-ID, value 504 & op=21 rlm_ldap: looking for reply items in directory... rlm_ldap: user testuser authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap1" returns ok for request 0 modcall: leaving group redundant (returns ok) for request 0 modcall: leaving group authorize (returns ok) for request 0 rad_check_password: Found Auth-Type LDAP auth: type "LDAP" Processing the authenticate section of radiusd.conf modcall: entering group LDAP for request 0 modcall: entering group redundant for request 0 rlm_ldap: - authenticate rlm_ldap: login attempt by "testuser" with password "testpassword" rlm_ldap: user DN: uid=testuser,ou=People,dc=mydomain,dc=com rlm_ldap: (re)connect to ldapserver.mydomain.com:389, authentication 1 rlm_ldap: setting TLS CACert File to /usr/share/ssl/certs/mydomain-CA.crt rlm_ldap: setting TLS CACert Directory to /usr/share/ssl/certs/ rlm_ldap: starting TLS request done: ld 0xb8befaa8 msgid 1 rlm_ldap: bind as uid=testuser,ou=People,dc=mydomain,dc=com/testpassword to ldapserver.mydomain.com:389 rlm_ldap: waiting for bind result ... request done: ld 0xb8befaa8 msgid 2 rlm_ldap: Bind was successful rlm_ldap: user testuser authenticated succesfully modcall[authenticate]: module "ldap1" returns ok for request 0 modcall: leaving group redundant (returns ok) for request 0 modcall: leaving group LDAP (returns ok) for request 0 Login OK: [testuser] (from client localhost port 0) Sending Access-Accept of id 235 to 127.0.0.1 port 44291 Service-Type = Login-User Finished request 0 --