[i'm not subscribed to this list, so, please, put me on CC] I've just setup a 'test installation' of freeradius in a debian etch box (using freeradius with 1.1.3 recompiled by me to support EAP-TLS). In my environments there's ever a LDAP server that serve, among other thinks, also a samba3 server using standard stuff (smbldap-tools, ...). Clearly my users are mostly (ahem, totally ;( ) windows XPsp2. Firstly i've setup all the stuff using winbind/ntlm_auth to do the MS-CHAP auth, but because i know that in LDAP the NT-Password hare simply stored, and looking at the (deprecated) /etc/smbpasswd module with the aid of some google, i've finally reached a good (for me) working point: ldap module extract NT-Password and give it to mschap module for authentication, with the bonus of group filtering, all in LDAP (i've disabled 'unix')... The strange, the only strangeness i've found, are that i was forced to insert an explicitly 'deny' rule in users file, eg my users are: DEFAULT Service-Type == Framed-User, Ldap-Group == "ced" DEFAULT Service-Type == Framed-User, Ldap-Group == "diramm" DEFAULT Service-Type == Framed-User, Ldap-Group == "ricerca" DEFAULT Service-Type == Framed-User, Ldap-Group == "*", Auth-Type := Reject Reply-Message = "Gruppo non autorizzato" if i remove the last entry, user got authenticated. But users file was 'no match, no party'? What i'm missing? Thanks. -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.sv.lnf.it/ Polo FVG - Via della Bontà , 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)sv.lnf.it tel +39-0434-842711 fax +39-0434-842797