Alan is right, output from radtest is useless. We need the output of from radiusd -X
(0) ldap (ok) (0) pap - WARNING: No "known good" password found for the user. Not setting Auth-Type (0) pap - WARNING: Authentication will fail unless a "known good" password is available (0) pap (noop) When I am seeing the following from the bind user
rlm_ldap (ldap) - Bind successful (1) ldap - Reserved connection (6) (1) ldap - EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) (1) ldap - --> (uid=demouser) (1) ldap - Performing search in "ou=Users,dc=myhost,dc=com" with filter "(uid=bind-user)", scope "sub" (1) ldap - Waiting for search result... (1) ldap - User object found at DN "uid=bind-user,ou=Users,dc=myhost,dc=com" (1) ldap - Processing user attributes (1) ldap - &control:Password-With-Header += {CRYPT}$6$cbea6d7932dfa76b$YgORZH6XtDXmFEDrcBnX3Ao6JDxACy.BRMTNZ8DkF0idg3cM2D3gPEHRfA05f8dQx14o/4Fi575xXJ.2yDkDA/ (1) ldap - Released connection (6)
...
rlm_ldap (ldap) - Bind successful (1) ldap (updated) (1) pap - Converted: Password-With-Header -> Crypt-Password (1) pap - Removing &control:Password-With-Header (1) pap (updated)
So... it worked? You need to provide the rest of the debug output up to the point where it sends an Access-Challenge. -Arran