Hello list. I've recently upgraded my freeradius servers from 1.1.7 to 2.0.0, and I've been hit badly by the change in the handling of LDAP-UserDn attribute, as detailed in http://www.nabble.com/Re%3A-LDAP-Groups-and-EAP-p14886209.html I think this ought to be documented in rlm_ldap documentation (as well as minor other changes, such as the new tls subsection). I also tried to clean up my configuration a little bit. I think a found a bug in the handling of set_auth_type directive. From what I understood, this directive governs the setting of the Auth-Type attribute to 'LDAP' during the authorisation phase. However, whatever its value, it's automatically disabled when launching radius at startup: Tue Apr 29 14:07:17 2008 : Debug: rlm_ldap: Over-riding set_auth_type, as we're not listed in the "authenticate" section. Here is my autenticate section, using two ldap modules in fail-over: authenticate { Auth-Type LDAP { redundant { ldap1 ldap2 handled } } } If I drop failover, everything work as expected. Should I report this as a bug ? So far, the only workaround I found is to force the Auth-Type attribute in the user file: DEFAULT ldap1-LDAP-Group == admins, Auth-Type := LDAP, Huntgroup-Name == AdminNet Service-Type = Login, Cisco-AVPair = "shell:priv-lvl=15" DEFAULT ldap2-LDAP-Group == admins, Auth-Type := LDAP, Huntgroup-Name == AdminNet Service-Type = Login, Cisco-AVPair = "shell:priv-lvl=15" But I can't make my mind if it is a good solution or not. According to the comment in default configuration file: "In general, you SHOULD NOT set the Auth-Type attribute". According to Alan answer in http://www.nabble.com/Re%3A-Force-Auth-Type-p15069162.html "The LDAP module setting Auth-Type to LDAP is a bit of a hack." Which one should I believe ? -- Guillaume Rousse Moyens Informatiques - INRIA Futurs Tel: 01 69 35 69 62