I have 3.0.4 successfully running against OpenLDAP 2.2.13. I noticed that during a password change the replog for "samba" password stuff is "delete/add" pairs while the "userPassword" is a "replace". I can only assume that Samba is generating the "delete/add" pairs, while the api call to ldap_extended_operation is doing the "replace". My question is why the choice of "delete/add"? Isn't "replace" a better choice? Admittedly I had a replica slightly out of sync and the "delete/add" failed because I had the wrong password entries for samba. Unix password always sync'ed however since it was issued as a replace. Just curious... Bill