Index: lams_central/src/java/org/lamsfoundation/lams/security/UniversalLoginModule.java
===================================================================
diff -u -rb51b1b0f2dc3ea9d865d0e85b731f7af39848735 -r2cdc9593bafb191bcc07439fe37d41d3cd718651
--- lams_central/src/java/org/lamsfoundation/lams/security/UniversalLoginModule.java	(.../UniversalLoginModule.java)	(revision b51b1b0f2dc3ea9d865d0e85b731f7af39848735)
+++ lams_central/src/java/org/lamsfoundation/lams/security/UniversalLoginModule.java	(.../UniversalLoginModule.java)	(revision 2cdc9593bafb191bcc07439fe37d41d3cd718651)
@@ -129,12 +129,6 @@
 						return false;
 					}
 				}
-
-				// disabled users can't login
-				if (user.getDisabledFlag()) {
-					log.debug("===> user is disabled.");
-					return false;
-				}
 				
 				// allow sysadmin to login as another user; in this case, the LAMS shared session
 				// will be present, allowing the following check to work
@@ -167,6 +161,15 @@
 						return false;
 					}
 				}
+				
+				// disabled users can't login;
+				// check after authentication to give non-db authentication methods
+				// a chance to update disabled flag
+				if (user.getDisabledFlag()) {
+					log.debug("===> user is disabled.");
+					return false;
+				}
+				
 				//if login is valid, register userDTO into session.
 				if(isValid){
 					HttpSession sharedsession = SessionManager.getSession(); 
Index: lams_common/src/java/org/lamsfoundation/lams/usermanagement/service/LdapService.java
===================================================================
diff -u -r109725d30c92dd25ac9cec693a233d6592cfe0e6 -r2cdc9593bafb191bcc07439fe37d41d3cd718651
--- lams_common/src/java/org/lamsfoundation/lams/usermanagement/service/LdapService.java	(.../LdapService.java)	(revision 109725d30c92dd25ac9cec693a233d6592cfe0e6)
+++ lams_common/src/java/org/lamsfoundation/lams/usermanagement/service/LdapService.java	(.../LdapService.java)	(revision 2cdc9593bafb191bcc07439fe37d41d3cd718651)
@@ -191,26 +191,34 @@
 		}
 	}
 	
-	private boolean getAsBoolean(Attribute attr) {
+	private Boolean getAsBoolean(Attribute attr) {
 		String attrString = getSingleAttributeString(attr);
 		if (attrString!=null) {
 			if (attrString.equals("1") || attrString.equals("true")) {
 				return true;
+			} else if (attrString.equals("0") || attrString.equals("false")) {
+				return false;
 			}
 		}
-		return false;
+		return null;
 	}
 	
 	public boolean getDisabledBoolean(Attributes attrs) {
 		String ldapDisabledAttrStr = Configuration.get(ConfigurationKeys.LDAP_DISABLED_ATTR);
-		boolean toggleBoolean = false;
 		if (ldapDisabledAttrStr.startsWith("!")) {
 			ldapDisabledAttrStr = ldapDisabledAttrStr.substring(1);
-			toggleBoolean = true;
+			Attribute ldapDisabledAttr = attrs.get(ldapDisabledAttrStr);
+			Boolean booleanValue = getAsBoolean(ldapDisabledAttr);
+			if (booleanValue != null) {
+				return !booleanValue;
+			} else {
+				// if there is no value, assume not disabled
+				return false;
+			}
+		} else {
+			return getAsBoolean(attrs.get(ldapDisabledAttrStr));
 		}
-		Attribute ldapDisabledAttr = attrs.get(ldapDisabledAttrStr);
-		boolean booleanValue = getAsBoolean(ldapDisabledAttr);
-		return (toggleBoolean ? !booleanValue : booleanValue);
+		
 	}
 	
 	public boolean addLDAPUser(Attributes attrs, Integer userId) {