Just because there is a log missing an @ in the user string I tried the modern way "radtest $USER@$DOMAIN.local ..." rad_recv: Access-Request packet from host 127.0.0.1 port 54456, id=72,
length=102
User-Name = "$USER@$DOMAIN.local"
User-Password = "$PASS"
NAS-IP-Address = 127.0.1.1
NAS-Port = 0
Message-Authenticator = 0x571ceeee8066a0c6a5982deb5a6161b3
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] Looking up realm "$DOMAIN.local" for User-Name = "$USER@
$DOMAIN.local"
[suffix] No such realm "$DOMAIN.local"
++[suffix] = noop
[eap] No EAP-Message, not doing EAP
++[eap] = noop
[ldap] Entering ldap_groupcmp()
[files] expand: dc=$DOMAIN,dc=local -> dc=$DOMAIN,dc=local
[files] expand: %{Stripped-User-Name} ->
[files] ... expanding second conditional
[files] expand: %{User-Name} -> $USER@$DOMAIN.local
[files] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) ->
(uid=$USER@$DOMAIN.local)
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] attempting LDAP reconnection
[ldap] closing existing LDAP connection
[ldap] (re)connect to $DOMAINCONTROLLERIP:389, authentication 0
[ldap] bind as / to $DOMAINCONTROLLERIP:389
[ldap] waiting for bind result ...
[ldap] Bind was successful
[ldap] performing search in dc=$DOMAIN,dc=local, with filter (uid=$USER@
$DOMAIN.local)
WARNING: Please set 'chase_referrals=yes' and 'rebind=yes'
WARNING: See the ldap module configuration for details
[ldap] ldap_search() failed: Operations error
rlm_ldap::ldap_groupcmp: search failed
[ldap] ldap_release_conn: Release Id: 0
++[files] = noop
[ldap] performing user authorization for $USER@$DOMAIN.local
[ldap] expand: %{Stripped-User-Name} ->
[ldap] ... expanding second conditional
[ldap] expand: %{User-Name} -> $USER@$DOMAIN.local
[ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=$USER@
$DOMAIN.local)
[ldap] expand: dc=$DOMAIN,dc=local -> dc=$DOMAIN,dc=local
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] attempting LDAP reconnection
[ldap] closing existing LDAP connection
[ldap] (re)connect to $DOMAINCONTROLLERIP:389, authentication 0
[ldap] bind as / to $DOMAINCONTROLLERIP:389
[ldap] waiting for bind result ...
[ldap] Bind was successful
[ldap] performing search in dc=$DOMAIN,dc=local, with filter (uid=$USER@
$DOMAIN.local)
WARNING: Please set 'chase_referrals=yes' and 'rebind=yes'
WARNING: See the ldap module configuration for details
[ldap] ldap_search() failed: Operations error
[ldap] search failed
[ldap] ldap_release_conn: Release Id: 0
++[ldap] = fail
+} # group authorize = fail
Invalid user: [$USER@$DOMAIN.local] (from client localhost port 0)
Using Post-Auth-Type REJECT
# Executing group from file /etc/freeradius/sites-enabled/default
+group REJECT {
[attr_filter.access_reject] expand: %{User-Name} -> $USER@
$DOMAIN.local
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] = updated
+} # group REJECT = updated
Delaying reject of request 1 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 1
Sending Access-Reject of id 72 to 127.0.0.1 port 54456
Waking up in 4.9 seconds.
Cleaning up request 1 ID 72 with timestamp +5685
Ready to process requests.
the reject message is coming much faster. I'm unsure if this is because of configuration issues or a reject of the ldap query.