I never saw a reply to my below e-mail. Would anybody have any thoughts or ideas on why our ldap group lookups fail after some period of time...? If it would help to send debug output, I can... Just for my information, are many folks out there using ldap/AD group lookups on large FR installs? Thanks in advance, Walter -------- Original Message -------- Subject: ldap group lookup help Date: Thu, 02 Sep 2010 09:49:02 -0500 From: Walter Gould <gouldwp@auburn.edu> To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Group, We are having problems with ldap group lookups... Here's our environment. Using Freeradius 2.1.8 to authenticate wireless users against our AD servers and perform ldap group membership lookups. Using WPA2-AES-PEAP-MSCHAPv2. When radiusd is started, initially the lookups work fine and we see successful auth's in our radius logs. But, after some period of time, we eventually begin to see bunches of "Invalid user:" radius logs. The only thing that seems to fix this is to remove the ldap group lookups from the freeradius config. In our ldap module, the basedn we specify is dc=auburn,dc=edu (as we have multiple user ou's). Not sure if that might be causing an issue or not..? One thing I have noticed is there are 3 ldap group lookups that each say "rlm_ldap::ldap_groupcmp: User found in group xxxx". I have read posts about configuring the ldap module to us the inner-tunnel - which I have done. Is there anyway to reduce the number of group lookups to only one? Not sure if the extra lookups are causing unneeded traffic which may be causing issues? Also, I see 10 Access-Request packets and about the same number of Access-Challenge packets.. Is this normal? Just wondering if excessive unneeded traffic is what is overloading the AD/ldap servers? Any help or suggestions will be appreciated. Thanks, Walter Gould Auburn University