Hello at all i have a small problem an dhope anyone can help me. First my configuration and the debug output: --- sites-available/radius-staging --- (is also linked in sites-enabled) authorize { if ("%{User-Name}" =~ /^(.*)#(.*)@domain.de$/) { update request { Group-Name := "%{1}" Stripped-User-Name := "%{2}" } } else { reject } #"%{exec:/usr/bin/printenv}" ldap-kap-costumertype if ("%{ldap-kap-costumertype:ldap:///dc=domain,dc=de?businessCategory?one?ou=%{Group-Name}}" == unmanaged) { update control { Proxy-to-Realm := unmanagedCostumers } # updated } else { ldap-kap-staging # updated } } authenticate { Auth-Type PAP { pap } Auth-Type LDAP { ldap-kap-staging } } --- modules/ldap-kap-staging --- ldap ldap-kap-staging { server := "test" identity := "cn=radiusbinduser,ou=admins,dc=domain,dc=de" password := "XXXXXXX" basedn := "ou=%{Group-Name},dc=domain,dc=de" filter := "(&(uid=%{Stripped-User-Name})(userEnabled=true))" dictionary_mapping = ${confdir}/ldap.attrmap set_auth_type = yes } --- modules/ldap-kap-costumertype --- ldap ldap-kap-costumertype { server := "test" identity := "cn=radiusbinduser,ou=admins,dc=domain,dc=de" password := "XXXXX" basedn := "dc=domain,dc=de" filter := "ou=%{Group-Name}" dictionary_mapping = ${confdir}/ldap.attrmap set_auth_type = no } --- debug output from freeradius --- Ready to process requests. rad_recv: Access-Request packet from host 10.10.20.100 port 55835, id=1, length=131 User-Name = "rplus.dt#test@domain.de" Acct-Session-Id = "1489473128K1snz" NAS-IP-Address = 127.0.0.1 NAS-Identifier = "Localhost" NAS-Port = 0 Calling-Station-Id = "1115551212" User-Password = "testpass" Message-Authenticator = 0xb33a7beab35041d5b1c179deef4d6376 server radius-staging { # Executing section authorize from file /etc/freeradius/sites-enabled/radius-staging +group authorize { ++? if ("%{User-Name}" =~ /^(.*)#(.*)@domain.de$/) expand: %{User-Name} -> rplus.dt#test@domain.de ? Evaluating ("%{User-Name}" =~ /^(.*)#(.*)@domain.de$/) -> TRUE ++? if ("%{User-Name}" =~ /^(.*)#(.*)@domain.de$/) -> TRUE ++if ("%{User-Name}" =~ /^(.*)#(.*)@domain.de$/) { +++update request { expand: %{1} -> domain.dt expand: %{2} -> test +++} # update request = noop ++} # if ("%{User-Name}" =~ /^(.*)#(.*)@domain.de$/) = noop ++ ... skipping else for request 0: Preceding "if" was taken [ldap-kap-costumertype] performing user authorization for test [ldap-kap-costumertype] expand: ou=%{Group-Name} -> ou=rplus.dt [ldap-kap-costumertype] expand: dc=domain,dc=de -> dc=domain,dc=de [ldap-kap-costumertype] ldap_get_conn: Checking Id: 0 [ldap-kap-costumertype] ldap_get_conn: Got Id: 0 [ldap-kap-costumertype] attempting LDAP reconnection [ldap-kap-costumertype] (re)connect to test:636, authentication 0 [ldap-kap-costumertype] setting TLS mode to 1 [ldap-kap-costumertype] bind as cn=radiusbinduser,ou=admins,dc=domain,dc=de/XXXXX to test:636 [ldap-kap-costumertype] waiting for bind result ... [ldap-kap-costumertype] Bind was successful [ldap-kap-costumertype] performing search in dc=domain,dc=de, with filter ou=rplus.dt [ldap-kap-costumertype] No default NMAS login sequence [ldap-kap-costumertype] looking for check items in directory... [ldap-kap-costumertype] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [ldap-kap-costumertype] ldap_release_conn: Release Id: 0 ++[ldap-kap-costumertype] = ok ++? if ("%{ldap-kap-costumertype:ldap:///dc=domain,dc=de?businessCategory?one?ou=%{Group-Name}}" == unmanaged) [ldap-kap-costumertype] - ldap_xlat expand: ldap:///dc=domain,dc=de?businessCategory?one?ou=%{Group-Name} -> ldap:///dc=domain,dc=de?businessCategory?one?ou=rplus.dt [ldap-kap-costumertype] ldap_get_conn: Checking Id: 0 [ldap-kap-costumertype] ldap_get_conn: Got Id: 0 [ldap-kap-costumertype] performing search in dc=domain,dc=de, with filter ou=rplus.dt [ldap-kap-costumertype] Adding attribute businessCategory, value: managed [ldap-kap-costumertype] ldap_release_conn: Release Id: 0 [ldap-kap-costumertype] - ldap_xlat end expand: %{ldap-kap-costumertype:ldap:///dc=domain,dc=de?businessCategory?one?ou=%{Group-Name}} -> managed ? Evaluating ("%{ldap-kap-costumertype:ldap:///dc=domain,dc=de?businessCategory?one?ou=%{Group-Name}}" == unmanaged) -> FALSE ++? if ("%{ldap-kap-costumertype:ldap:///dc=domain,dc=de?businessCategory?one?ou=%{Group-Name}}" == unmanaged) -> FALSE ++else else { [ldap-kap-staging] performing user authorization for test [ldap-kap-staging] expand: (&(uid=%{Stripped-User-Name})(userEnabled=true)) -> (&(uid=test)(userEnabled=true)) <--------------------------------------- [ldap-kap-staging] expand: ou=%{Group-Name},dc=domain,dc=de -> ou=rplus.dt,dc=domain,dc=de <--------------------------------------- [ldap-kap-staging] ldap_get_conn: Checking Id: 0 [ldap-kap-staging] ldap_get_conn: Got Id: 0 [ldap-kap-staging] attempting LDAP reconnection [ldap-kap-staging] (re)connect to test:636, authentication 0 [ldap-kap-staging] setting TLS mode to 1 [ldap-kap-staging] bind as cn=radiusbinduser,ou=admins,dc=domain,dc=de/XXXXX to test:636 [ldap-kap-staging] waiting for bind result ... [ldap-kap-staging] Bind was successful [ldap-kap-staging] performing search in ou=rplus.dt,dc=domain,dc=de, with filter (&(uid=test)(userEnabled=true)) [ldap-kap-staging] No default NMAS login sequence [ldap-kap-staging] looking for check items in directory... [ldap-kap-staging] userPassword -> Password-With-Header == "{SSHA}ac2cE0LcZb04Hr9mGf5RIvfeoDlDkT5BaEB4tw==" [ldap-kap-staging] looking for reply items in directory... [ldap-kap-staging] Setting Auth-Type = LDAP [ldap-kap-staging] ldap_release_conn: Release Id: 0 +++[ldap-kap-staging] = ok ++} # else else = ok +} # group authorize = ok Found Auth-Type = LDAP # Executing group from file /etc/freeradius/sites-enabled/radius-staging +group LDAP { [ldap-kap-staging] login attempt by "test" with password "testpass" [ldap-kap-staging] user DN: ou=rplus.dt,dc=domain,dc=de <--------------------------------------- [ldap-kap-staging] (re)connect to test:636, authentication 1 [ldap-kap-staging] setting TLS mode to 1 [ldap-kap-staging] bind as ou=rplus.dt,dc=telekom,dc=de/testpass to test:636 <--------------------------------------- [ldap-kap-staging] waiting for bind result ... [ldap-kap-staging] Bind failed with invalid credentials ++[ldap-kap-staging] = reject +} # group LDAP = reject Failed to authenticate the user. } # server radius-staging Using Post-Auth-Type Reject # Executing group from file /etc/freeradius/sites-enabled/radius-staging +group REJECT { [attr_filter.access_reject] expand: %{User-Name} -> rplus.dt#test@domain.de attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] = updated +} # group REJECT = updated Delaying reject of request 0 for 1 seconds Can anyone explain me why freeradius use two different userdn's for the same ldap configuration [ldap-kap-staging]? That he is authorizing the user is good, but why is freeradius using the wrong dn at the authenticate stage for the same ldapconfig? Thank you very much Jörn Volkhausen