[v3] LDAP access_attribute

Arran Cudbard-Bell a.cudbardb at freeradius.org
Tue Nov 26 18:19:35 CET 2013

On 26 Nov 2013, at 10:55, Hachmer, Tobias <Tobias.Hachmer at stadt-frankfurt.de> wrote:

> Hello list members,
> what are the considerations to change the behavior regarding “access_attribute” in ldap from the “access_attr” in v2?
> From a ldap perspective is it easier to administer user objects in ldap when you can see directly if a user has access or not.

Hmm the comment in mods-available/ldap is misleading. I'll fix it.

If you set access_positive 'yes' and the string value of the attribute is 'false', the user will still be locked out.

The idea behind the new logic is to support:
userAccountEnabled (access_positive = yes)
userAccountDisabled (access_positive = no)

But I sort of take your point (though I think it's a matter of personal preference).

The code will now check for:
userAccountDisabled (access_positive = no) with value 'false' (case insensitive)

In which case the user will be allowed to log in.

So in both cases an attribute with value 'false' negates whatever the normal result would of been.


Arran Cudbard-Bell <a.cudbardb at freeradius.org>
FreeRADIUS Development Team

More information about the Freeradius-Users mailing list