Hi Mourik I asked Andrew Bartlett, one of my colleagues here at Catalyst and a Samba developer about the issue, here is what he said ----- Forwarded message from Andrew Bartlett ----- The key differences between OpenLDAP as traditionally deployed and AD as traditionally deployed is not just the schema, but also that authentication is required for searches. (here needed to map between the user's username and their DN for the simple bind). However, there is a way around that, because AD is smart, and allows all sorts of things that are not a DN to be the 'bind DN', you can bind to LDAP as user@REALM or NT4DOM\username for example. -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba ----- End forwarded message -----