2) as a workaround, you could hide your replica behind a back-ldap, because it can handle this on behalf of your client, if you're using simple bind: create a proxy server with a back-ldap instance and add the "rebind-as-user" directive; see slapd-ldap(5) for further details. Then your client must access the proxy instead of the real replica.
--Quanah
-- Quanah Gibson-Mount Principal Software Developer ITSS/TSS/Computing Systems ITSS/TSS/Infrastructure Operations Stanford University GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html