So I've been beating my head against a wall on this for a few days, so I figured I'd share what "worked" now that the swelling has gone down. Configuration is fairly straight forward. I have authorization via LDAP (AD), and Authentication via SecurID (via PAM..yeah, I know you aren't s'posed to use PAM 'cause of mem leaks, and the SecurID one certainly had 'em, but the latest module has been stable in Radius 1.1.7 for me for over 2 years on multiple platforms). I previously had a simple radius to securid bridge I'm just now adding in LDAP. Using FreeRadius 2.1.10 (I patched it for an exec callout which can be found in the devel group). Used the "default" site and enabled ldap: authorize { preprocess auth_log # This is important and (it's ommision) was # the cause of the lump on my skull files ldap } authenticate { pam } modules/ldap ldap { server = "mydc" port = 636 identity = "exec:my_callout" password = "exec:my_callout" basedn = "dc=some,dc=corp,dc=com" filter = "(CN=%{%{Stripped-User-Name}:-%{User-Name}})" ldap_connections_number = 5 timeout = 4 timelimit = 3 net_timeout = 1 tls_mode= yes tls { start_tls = no cacertfile = /path/to/cafile require_cert = "demand" } dictionary_mapping = ${confdir}/ldap.attrmap edir_account_policy_check = no groupmembership_filter = "(&(objectClass=group)(member=%{Ldap-UserDn}))" groupmembership_attribute = "memberOf" chase_referrals = no rebind = no set_auth_type = no } users file: DEFAULT Ldap-Group == "admins", Auth-Type = pam Reply-Message = "Hello (admin), %{User-Name}", ....(other attributes) Fall-Through = No DEFAULT Ldap-Group == "Operators", Auth-Type = pam Reply-Message = "Hello (operator), %{User-Name}", ....(other attributes) Fall-Through = No DEFAULT Auth-Type := Reject Reply-Message = "you are not authorized" So what happens is the user sends his request, the user ID is looked up in AD and then the groups are looked up for that user, in the order listed in the users file, until a match is found. If a match is found, it passes to the Auth-Type for authentication otherwise sends back a reject. Note, this is a basic POC config. As another note, I found a python module (pyrad, not py-radius) very helpful in debugging this. radtest is nice, but I don't like entering my pin in he clear on a shared unix box. Here's a script I used for that (merged the good of the py-radius example with the pyrad example): -------------cut -------------------------- #!/usr/bin/python import socket, sys import pyrad.packet from getpass import getpass from pyrad.client import Client from pyrad.dictionary import Dictionary secret = '' uname,passwd = None,None while not secret: secret = getpass('RADIUS Secret? ') while not uname: uname = raw_input("Username? ") while not passwd: passwd = getpass("Password? ") srv=Client(server="localhost", secret=secret, dict=Dictionary("/path/to/dictionary")) print "read dictionary" req=srv.CreateAuthPacket(code=pyrad.packet.AccessRequest, User_Name=uname) req["User-Password"]=req.PwCrypt(passwd) req["Service-Type"] = "Login-User" try: print "Sending authentication request" reply=srv.SendPacket(req) except pyrad.client.Timeout: print "RADIUS server does not reply" sys.exit(1) except socket.error, error: print "Network error: " + error[1] sys.exit(1) if reply.code==pyrad.packet.AccessAccept: print "Access accepted" else: print "Access denied" print "Attributes returned by server:" for i in reply.keys(): print "%s: %s" % (i, reply[i]) -----------cut --------------------------- R. Marc