Hello, I’m using Freeradius 3.2.1 and with a standard config connected to an LDAPS server, some requests (bind as admin, search/bind as user/…) are currently finishing with those kind of errors : Tue Mar 14 03:08:56 2023 : Auth: (43138) Login incorrect (ldap: Failed performing search: Unknown error): [user@domain] (from client XXX port 0 via TLS tunnel) Tue Mar 14 03:30:24 2023 : Auth: (43714) Login incorrect (ldap: Bind with uid=serviceaccount,dc=subdomain,dc=com to ldaps://server:636 <mimestream://server:636> failed: Unknown error): [user@domain] (from client XXX port 0 via TLS tunnel) I can see something like 3 to 5% of requests being made and finishing as “Unknown error”. 1/ Can you confirm that the “Unknown error” is from the LDAP response and not Freeradius ? Can we have more information about status code of the response ? I’m seeing here two occurences of “Unknown error” in the ldap module (ldap.c) but I can’t get more information, and it is hard for me to activate debug that show Radius attribute in stdout (as some of them are sensitive). 2/ Can I activate more debug on thoses errors to get the bottom of it ? Do you have any insight to help me get more information ? Here is my LDAP config : ldap { server = 'ldaps://serverldap.com' port = 636 identity = 'uid=serviceaccount,dc=subdomain,dc=com' password = ‘password' base_dn = 'dc=subdomain,dc=com' update { control: += 'radiusControlAttribute' request: += 'radiusRequestAttribute' reply: += 'radiusReplyAttribute' } user_dn = "LDAP-UserDn" user { base_dn = "ou=users,${..base_dn}" filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})" } group { base_dn = "ou=groups,${..base_dn}" filter = '(objectClass=posixGroup)' name_attribute = cn membership_attribute = 'memberOf' cacheable_name = 'no' cacheable_db = 'no' } profile { } accounting { reference = "%{tolower:type.%{Acct-Status-Type}}" type { start { update { description := "Online at %S" } } interim-update { update { description := "Last seen at %S" } } stop { update { description := "Offline at %S" } } } } post-auth { update { description := "Authenticated at %S" } } options { chase_referrals = no rebind = yes res_timeout = 20 srv_timelimit = 3 net_timeout = 10 idle = 60 probes = 3 interval = 3 ldap_debug = 0x0000 } tls { require_cert = 'allow' tls_min_version = "1.2" } pool { start = ${thread[pool].start_servers} min = ${thread[pool].min_spare_servers} max = ${thread[pool].max_servers} spare = ${thread[pool].max_spare_servers} uses = 0 retry_delay = 30 lifetime = 0 idle_timeout = 60 } } Thanks, Cyril