Hello everybody. First at all a few words about me, I’m from Italy and I work at my city, Urbino, University. Our AAA is freeradius based. Student credential’s authoritative source is an Oracle database located outside of the local net, because the application is outsourced. Credentials went synced hourly to our internal LDAP. We experienced sporadic black out with that database and in effort to mitigate the issue we’re planning to switch the first source to LDAP. Something like this. Users …. DEFAULT Realm == "stud",Autz-Type := stud, Auth-Type := PAP Sites-available/default … Autz-Type stud { group { ldap_stud { ok= return fail= 1 notfound = 2 default = return } sql_stud } } Now, scenarios. a)The user is found in ldap, ldap_stud module returns ok, the password is checked via pap and matches, access-accept. The sql module is skipped, as intended. b)The user is NOT found in ldap, the module returns notfound, proceed to sql_stud module (the same if ldap crashes, via fail) c)The user IS FOUND in ldap but the user made a password change and ldap is not synced. The ldap_stud module returns ok, but now the pap will reject the authentication. Btw the sql_stud module is skipped, of course, because the previous returned ok. I tried my best to solve the issue but that’s apparently far beyond my skill J May add that the reverse approach, sql first then ldap, will work in abstract Autz-Type stud { group { sql_stud { ok= return fail= 1 notfound = 2 default = return } ldap_stud } } But when the sql is unattainable the radius will time-out a lot. So in the end thanks a lot for any hint. Greetings. Paolo Cecchini