The replog should be accurate reflection of the LDAP operation. That is, if it said > replace: sn > sn:: bWFqb3iq > sn:: IG1ham9y then that was likely what the client requested. Please double check that the replog (at the master) actually used "::", not ":". Did the client specify any controls? Kurt