Hello, I'm running Freeradius 1.0.4 with OpenLDAP 2.2.29 on my Fedora Core 4 box and try to configure radiusd so that ldap_search is not performed on authentication (i.e. just use ldap_bind for authentication). But so far, I've got no success. Radiusd seems to perform search anyway. I've read the document doc/rlm_ldap and followed the instruction, but I couldn't get it working (I must be missing something). I configured radiusd as follows: In users: DEFAULT Ldap-UserDn := `uid=%{User-Name},ou=people,dc=atusi,dc=org`, Auth-Type = LDAP In radiusd.conf: modules { ldap { server = "localhost" ldap_debug = 0xFFFF # identity = "cn=admin,o=My Org,c=UA" # password = mypass basedn = "ou=people,dc=atusi,dc=org" # filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" # base_filter = "(objectclass=radiusprofile)" start_tls = no access_attr = "dialupAccess" ldap_connections_number = 5 timeout = 4 timelimit = 3 net_timeout = 1 } ... } authorize { preprocess chap mschap suffix eap files } authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } Auth-Type LDAP { ldap } eap } # All other parts are left as default. When I test my setup with: (echo 'User-Name=mytestuser'; echo 'User-Password = mypassword') | radclient -c 1 127.0.0.1 auth testing123 radiusd (run with -X option) says: rad_recv: Access-Request packet from host 127.0.0.1:32791, id=183, length=43 User-Name = "mytestuser" User-Password = "mypassword" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "mytestuser", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 0 users: Matched entry DEFAULT at line 214 modcall[authorize]: module "files" returns ok for request 0 modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type LDAP auth: type "LDAP" Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 0 rlm_ldap: - authenticate rlm_ldap: login attempt by "mytestuser" with password "mypassword" radius_xlat: '(uid=mytestuser)' radius_xlat: 'ou=people,dc=atusi,dc=org' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to localhost:389, authentication 0 rlm_ldap: bind as / to localhost:389 ldap_bind ldap_simple_bind ldap_sasl_bind ldap_send_initial_request ldap_new_connection ldap_int_open_connection ldap_connect_to_host: TCP localhost:389 ldap_new_socket: 6 ldap_prepare_socket: 6 ldap_connect_to_host: Trying 127.0.0.1:389 ldap_connect_timeout: fd: 6 tm: 1 async: 0 ldap_ndelay_on: 6 ldap_is_sock_ready: 6 ldap_ndelay_off: 6 ldap_open_defconn: successful ldap_send_server_request rlm_ldap: waiting for bind result ... ldap_result msgid 1 ldap_chkResponseList for msgid=1, all=1 ldap_chkResponseList returns NULL wait4msg (timeout 4 sec, 0 usec), msgid 1 wait4msg continue, msgid 1, all 1 ** Connections: * host: localhost port: 389 (default) refcnt: 2 status: Connected last used: Tue Mar 21 13:31:12 2006 ** Outstanding Requests: * msgid 1, origid 1, status InProgress outstanding referrals 0, parent count 0 ** Response Queue: Empty ldap_chkResponseList for msgid=1, all=1 ldap_chkResponseList returns NULL ldap_int_select read1msg: msgid 1, all 1 ldap_read: message type bind msgid 1, original id 1 new result: res_errno: 0, res_error: <>, res_matched: <> read1msg: 0 new referrals read1msg: mark request completed, id = 1 request 1 done res_errno: 0, res_error: <>, res_matched: <> ldap_free_request (origid 1, msgid 1) ldap_free_connection ldap_free_connection: refcnt 1 ldap_parse_result ldap_msgfree rlm_ldap: Bind was successful rlm_ldap: performing search in ou=people,dc=atusi,dc=org, with filter (uid=mytestuser) ldap_search put_filter: "(uid=mytestuser)" put_filter: simple put_simple_filter: "uid=mytestuser" ldap_send_initial_request ldap_send_server_request ldap_result msgid 2 ldap_chkResponseList for msgid=2, all=1 ldap_chkResponseList returns NULL wait4msg (timeout 4 sec, 0 usec), msgid 2 wait4msg continue, msgid 2, all 1 ** Connections: * host: localhost port: 389 (default) refcnt: 2 status: Connected last used: Tue Mar 21 13:31:12 2006 ** Outstanding Requests: * msgid 2, origid 2, status InProgress outstanding referrals 0, parent count 0 ** Response Queue: Empty ldap_chkResponseList for msgid=2, all=1 ldap_chkResponseList returns NULL ldap_int_select read1msg: msgid 2, all 1 ldap_read: message type search-result msgid 2, original id 2 new result: res_errno: 0, res_error: <>, res_matched: <> read1msg: 0 new referrals read1msg: mark request completed, id = 2 request 2 done res_errno: 0, res_error: <>, res_matched: <> ldap_free_request (origid 2, msgid 2) ldap_free_connection ldap_free_connection: refcnt 1 ldap_parse_result rlm_ldap: object not found or got ambiguous search result ldap_msgfree rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authenticate]: module "ldap" returns notfound for request 0 modcall: group Auth-Type returns notfound for request 0 auth: Failed to validate the user. According to the log lines: rlm_ldap: (re)connect to localhost:389, authentication 0 rlm_ldap: bind as / to localhost:389 I guessed (by reading rlm_ldap.c) Ldap-UserDn valuepair is not passed to ldap_authenticate() for some reason. I tried to write `Ldap-UserDn := ...' as reply item of the DEFAULT entry in users file but in that case radiusd says: WARNING! Check item "Ldap-UserDn" ?found in reply item list for user "DEFAULT". ?This attribute MUST go on the first line with the other check items and still got the same result. I also tried in radiusd.conf: modules { ldap { identity = "%{Ldap-UserDN}" password = `%{User-Password}` ... } } but these attributes are not xlated and passed to LDAP as they are. Any clues would be greately appreciated.