I'm trying to understand the relationship between the modules in the authorize {} and authenticate {} sections and how it relates to the directives defined in users. EAP-TLS works fine, but I can't seem to figure how to get make the ldap authorization reject a user. DEFAULT Auth-Type := eap, Autz-Type := ldap authorize{ preprocess ldap eap } authenticate { eap } ldap { server = "our-server.itc.virginia.edu" identity = "uid=uva-all,ou=ITC-User,ou=It,o=University of Virginia,c=US" password = "our-password" basedn = "o=University of Virginia,c=US" filter = "(wirelessAccess=%{Stripped-User-Name:-%{User-Name}})" base_filter = "(objectclass=Person)" start_tls = no access_attr = "wirelessAccess" ldap_connections_number = 5 timeout = 4 timelimit = 3 net_timeout = 1 access_attr_used_for_allow = yes } In the ldap server logs show multiple queries, which are not returning anything. This can be confirmed with: ldapsearch -b "o=University of Virginia,c=US" wirelessAccess=kmm6b wirelessAccess which returns nothing. If nothing is returned shouldn't the authorization fail? I'm missing something, hopefully not too obvious... ------------------------------------------------------------------------ Keith Moores <mailto:kmm6b@virginia.edu> Network Systems ITC-Communications and Systems Division University of Virginia, ITC-2015 Ivy Rd Phone (434) 924-0621 Box 400324, Charlottesville, VA 22904-4324 Fax (434) 982-4715