Could we make the non-BAILOUT behaviour (add RDN attributes not specified in the entry) a configure- or run-time option? Unfortunately we must deal with some clients, such as Active Directory, that do not always include the RDN attribute in the entry. -- Luke -- Luke Howard | PADL Software Pty Ltd | www.padl.com