Hi all, I am using FR 2.1.11 and I try to implement access_attr & access_attr_used_for_allow with rlm_ldap. modules/ldap.conf : .... access_attr = inetUserStatus access_attr_used_for_allow = yes compare_check_items = no do_xlat = yes set_auth_type = yes ... Inside our OpenLDAP, the attribute is inetUserStatus, whose value can be(active/inactive). According to rlm_ldap docs, this should be a boolean (yes/no/TRUE/FALSE). At the moment, access is granted if inetUserStatus is set to active as well as if inetUserStatus is set to inactive, I suppose because FR does not interpred those values as TRUE/yes or FALSE/no .. As I cannot act on ldap server side, (many other applications already uses this attribute value pair) Is there any way to have this working on freeradius side ? Is it necessary to ldap.attrmap this attribute to use this feature ? Could I (for example) update the attribute recovered from ldap during author and change inactive to FALSE or active to TRUE ? debug extract : Fri Sep 23 12:54:05 2011 : Info: [ldap] performing user authorization for user_sps Fri Sep 23 12:54:05 2011 : Info: [ldap] expand: %{Stripped-User-Name} -> Fri Sep 23 12:54:05 2011 : Info: [ldap] ... expanding second conditional Fri Sep 23 12:54:05 2011 : Info: [ldap] expand: %{User-Name} -> user_sps Fri Sep 23 12:54:05 2011 : Info: [ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=user_sps) Fri Sep 23 12:54:05 2011 : Info: [ldap] expand: dc=corp,dc=toto,dc=com -> dc=corp,dc=toto,dc=com Fri Sep 23 12:54:05 2011 : Debug: [ldap] ldap_get_conn: Checking Id: 0 Fri Sep 23 12:54:05 2011 : Debug: [ldap] ldap_get_conn: Got Id: 0 Fri Sep 23 12:54:05 2011 : Debug: [ldap] attempting LDAP reconnection Fri Sep 23 12:54:05 2011 : Debug: [ldap] (re)connect to 10.49.64.25:389, authentication 0 Fri Sep 23 12:54:05 2011 : Debug: [ldap] bind as cn=syncuser,dc=toto,dc=com/L?JHLjvk to 10.49.64.25:389 Fri Sep 23 12:54:05 2011 : Debug: [ldap] waiting for bind result ... Fri Sep 23 12:54:05 2011 : Debug: [ldap] Bind was successful Fri Sep 23 12:54:05 2011 : Debug: [ldap] performing search in dc=corp,dc=toto,dc=com, with filter (uid=user_sps) Fri Sep 23 12:54:05 2011 : Info: [ldap] checking if remote access for user_sps is allowed by inetUserStatus Fri Sep 23 12:54:05 2011 : Info: [ldap] looking for check items in directory... Fri Sep 23 12:54:05 2011 : Debug: [ldap] userPassword -> Password-With-Header == "{SSHA}SnrchnIFWrKzn+nOzZem4YjMjRqHiavi" Fri Sep 23 12:54:05 2011 : Debug: [ldap] ntPassword -> NT-Password == 0x7305108b06d9839d8530b917307803e9 Fri Sep 23 12:54:05 2011 : Info: [ldap] looking for reply items in directory... Fri Sep 23 12:54:05 2011 : Info: [ldap] Setting Auth-Type = LDAP Fri Sep 23 12:54:05 2011 : Info: [ldap] user user_sps authorized to use remote access Fri Sep 23 12:54:05 2011 : Debug: [ldap] ldap_release_conn: Release Id: 0 Fri Sep 23 12:54:05 2011 : Info: ++[ldap] returns ok Fri Sep 23 12:54:05 2011 : Info: [files] users: Matched entry user_sps at line 1 Fri Sep 23 12:54:05 2011 : Info: ++[files] returns ok Best regards, Fred MAISON