>Since I'm using GSSAPI here, it isn't going to be the rootdn. You can map this to the rootdn using a sasl-regexp, eg: sasl-regexp uid=syncuser,cn=STANFORD.EDU,cn=GSSAPI,cn=auth "CN=Directory Manager" That's more or less what we do... I can't common on the other situation or the accuracy of the admin guide as I haven't tried it / read it, respectively. -- Luke >