Hi,
From radius.log, the symptom of the failure goes as follow
1. rlm_ldap receives "constraint violation" reply from ldap. 2. other authentication requests immediately followed the constraint violation reply failed with "incorrect login" sample radius log - Jan 12 13:44:05 : rlm_ldap: lblempnum=012345, ou=people, o=LBL, c=US bind to ldap:636 failed Constraint violation Jan 12 13:44:05 : Login incorrect: [012345] (from client XXX port 24772 cli 0017.abcd.3fe0 via TLS tunnel) Jan 12 13:44:12 : Login incorrect: [test-account] (from client XXX port 0) - At my site, I run radiusd with the -s flag. Freeradius operation with the backend ldap server is monitored by nagios running check_radius. I also have cacti checking the round trip transaction time between radiusd and ldap in five minutes interval. For trouble shooting purposes, I obtained a copy of the ldap log around the same time frame. The ldap log showed that the user account 012345 has exceeded the failed login attempts and the account was locked out, thus the "constraint violation". However, there was no ldap log entry indicating any bind operation request from the radiusd for the [test-account]. Nagios run the radius monitoring in 1 minute interval, and it usually recover the next minute or so. Cacti showed average radiusd-ldap rtt was under 500ms. Can anybody shed some light on this failure scenario? Thanks Cedric