Using .. FreeRADIUS Version 2.0.4, for host i486-pc-linux-gnu, built on Sep 7 2008 at 23:35:34 ^^ .. that is what Debian 5.0.6 (Lenny) had in packages. I have LDAP enabled as an auth-type (for ipsec-tools using libradius, since it sends cleartext password and I have AD as backend). I also process mschapv2 (for l2tp/ipsec connections). This works correctly *only* if I enable LDAP debugging. {radiusd.conf} ldap_debug = 0xFFFF Whereby I get : (for ISPEC) rlm_ldap: user XXXX authorized to use remote access ldap_msgfree rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok or (for L2TP/PPP) Exec-Program: returned: 0 rlm_mschap: adding MS-CHAPv2 MPPE keys ++[mschap] returns ok *HOWEVER* .. if I disable the debug directive, I get : rlm_ldap: ldap_search() failed: Operations error rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns fail Debugging what goes on in the background, the underlying complaint is "must bind to perform.." in case #2. The first case (from a pcap trace) does to the search as defined user (in radiusd.conf) and then bind as the "found" DN, so it's not as if debugging forces a valid return on all queries. Any ideas? Related question .. is there an easier way to pass plaintext (to Radius) credentials into AD (and determine group membership) like auth_ntlm does? .. I know how to call ntlm_auth with plaintext credentials and return a success but can't seem to get freeradius to use that as an auth-type. TIA, Michael Holstein Cleveland State University