Question: when the authorization identity is not a DN, what should server implementations store (as directed by RFC2251) in creatorsname/modifiersname? It appears to me that the authzIDs-are-not-necessarily-DNs notion implies we also have authzIDs-must-be-representable-as-DNs notion. Kurt ---- Kurt D. Zeilenga <kurt@boolean.net> Net Boolean Incorporated <http://www.boolean.net/>