Hello, I found a problem in the function which checks for presence of access attribute (src/modules/rlm_ldap/ldap.c, rlm_ldap_check_access). The culprit is the following code: vals = ldap_get_values(conn->handle, entry, inst->userobj_access_attr); if (vals) { if (inst->access_positive && (strncmp(vals[0], "false", 5) == 0)) { RDEBUG("\"%s\" attribute exists but is set to 'false' - user locked out"); rcode = RLM_MODULE_USERLOCK; } else { RDEBUG("\"%s\" attribute exists - user locked out", inst->userobj_access_attr); rcode = RLM_MODULE_USERLOCK; } ldap_value_free(vals); } when access_positive is true and a user has the access attribute set to true the server gives "attribute exists - user locked out" It should be changed to something like this: if (vals) { if (inst->access_positive) { if (strncmp(vals[0], "false", 5) == 0) { RDEBUG("\"%s\" attribute exists but is set to 'false' - user locked out"); rcode = RLM_MODULE_USERLOCK; } } else { RDEBUG("\"%s\" attribute exists - user locked out", inst->userobj_access_attr); rcode = RLM_MODULE_USERLOCK; } ldap_value_free(vals); } Greetings, Maja -- Maja Gorecka-Wolniewicz mgw@umk.pl Uczelniane Centrum Information & Communication Informatyczne Technology Centre Uniwersytet Mikolaja Kopernika Nicolaus Copernicus University Coll. Maximum, pl. Rapackiego 1, 87-100 Torun, Poland tel.: +48 56-611-27-40 fax: +48 56-622-18-50 tel. kom.: +48-693032574