hello * i try to transfer a working configuration from an very old (1.x) freeradius version to a more recent radius version: FreeRADIUS Version 2.1.10, for host x86_64-pc-linux-gnu, built on Nov 14 2010 at 21:14:10 My problem: after authenticate against ldap and auth-type = ldap is set, no authorize step is done the next step happening is trying the next entry from the users file expected: authenticate with bind as user and password hash of the user against ldap here the snippet from debug log i assume relevant: hu Apr 7 12:45:28 2011 : Info: [auth_log] expand: %t -> Thu Apr 7 12:45:28 2011 Thu Apr 7 12:45:28 2011 : Info: ++[auth_log] returns ok Thu Apr 7 12:45:28 2011 : Info: ++[mschap] returns noop Thu Apr 7 12:45:28 2011 : Info: [suffix] No '@' in User-Name = "pilot00001", looking up realm NULL Thu Apr 7 12:45:28 2011 : Info: [suffix] No such realm "NULL" Thu Apr 7 12:45:28 2011 : Info: ++[suffix] returns noop Thu Apr 7 12:45:28 2011 : Info: [ldap] performing user authorization for pilot00001 Thu Apr 7 12:45:28 2011 : Info: [ldap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details Thu Apr 7 12:45:28 2011 : Info: [ldap] ... expanding second conditional Thu Apr 7 12:45:28 2011 : Info: [ldap] expand: %{User-Name} -> pilot00001 Thu Apr 7 12:45:28 2011 : Info: [ldap] expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=pilot00001) Thu Apr 7 12:45:28 2011 : Info: [ldap] expand: l=Berlin,dc=de,o=ABC-> l=Berlin,dc=de,o=ABC Thu Apr 7 12:45:28 2011 : Debug: [ldap] ldap_get_conn: Checking Id: 0 Thu Apr 7 12:45:28 2011 : Debug: [ldap] ldap_get_conn: Got Id: 0 Thu Apr 7 12:45:28 2011 : Debug: [ldap] attempting LDAP reconnection Thu Apr 7 12:45:28 2011 : Debug: [ldap] (re)connect to 10.128.1.1:389, authentication 0 Thu Apr 7 12:45:28 2011 : Debug: [ldap] bind as cn=Manager,o=ABC/xyz to 10.128.1.1:389 Thu Apr 7 12:45:28 2011 : Debug: [ldap] waiting for bind result ... Thu Apr 7 12:45:28 2011 : Debug: [ldap] Bind was successful Thu Apr 7 12:45:28 2011 : Debug: [ldap] performing search in l=Berlin,dc=de,o=ABC, with filter (uid=pilot00001) Thu Apr 7 12:45:28 2011 : Info: [ldap] No default NMAS login sequence Thu Apr 7 12:45:28 2011 : Info: [ldap] looking for check items in directory... Thu Apr 7 12:45:28 2011 : Debug: [ldap] userPassword -> Password-With-Header == "{MD5}hashvalueD1xtOw==" <- the sequence after the hashed pw astonishes me, the D1xt0w Thu Apr 7 12:45:28 2011 : Info: [ldap] looking for reply items in directory... Thu Apr 7 12:45:28 2011 : Info: [ldap] Setting Auth-Type = LDAP Thu Apr 7 12:45:28 2011 : Info: [ldap] user pilot00001 authorized to use remote access Thu Apr 7 12:45:28 2011 : Debug: [ldap] ldap_release_conn: Release Id: 0 Thu Apr 7 12:45:28 2011 : Info: ++[ldap] returns ok Thu Apr 7 12:45:28 2011 : Info: [eap] No EAP-Message, not doing EAP Thu Apr 7 12:45:28 2011 : Info: ++[eap] returns noop ... next line / match in users file is done next ...in the old config next step was authenticate So clearly i do a mistake and have overlooked a neccessary config option any hints where to look next ? The hint to transfer a deprecated expression from users file to unlang will be done when i succeed with auth TIA Micha