Fix logic error in rlm_ldap lockout

diff --git a/src/modules/rlm_ldap/ldap.c b/src/modules/rlm_ldap/ldap.c
index 14957b1..b578e4e 100644 (file)
--- a/src/modules/rlm_ldap/ldap.c
+++ b/src/modules/rlm_ldap/ldap.c
@@ -955,9 +955,12 @@ rlm_rcode_t rlm_ldap_check_access(ldap_instance_t const *inst, REQUEST *request,
 
        vals = ldap_get_values(conn->handle, entry, inst->userobj_access_attr);
        if (vals) {
-               if (inst->access_positive && (strncmp(vals[0], "false", 5) == 0)) {
-                       RDEBUG("\"%s\" attribute exists but is set to 'false' - user locked out");
-                       rcode = RLM_MODULE_USERLOCK;
+               if (inst->access_positive) {
+                       if (strncmp(vals[0], "false", 5) == 0) {
+                               RDEBUG("\"%s\" attribute exists but is set to 'false' - user locked out");
+                               rcode = RLM_MODULE_USERLOCK;
+                       }
+                       /* RLM_MODULE_OK set above... */
                } else {
                        RDEBUG("\"%s\" attribute exists - user locked out", inst->userobj_access_attr);
                        rcode = RLM_MODULE_USERLOCK;