Rowland, hopefully this explains it. I am not a security expert by any means, so correct me if I am incorrect in these assumptions! My understanding is that standard LDAP authentication without any encryption will send passwords and user information (usernames, groups they're a part of etc) over plain text. This means that a user on the network could potentially sniff the packets and see the passwords and user information. In fact, I was able myself to see the user information (not passwords, though they may be there somewhere) in the network traffic via WireShark. My understanding is that with LDAPS, the traffic is encrypted and this information is not viewable by someone on the network. I have tried "client ldap sasl wrapping = seal" as suggested by Volker, and that does seem to work and provide some kind of encryption of the LDAP traffic using SASL. I'm just not sure if it is as strong as TLS, my understanding is it is not. Are my assumptions/information correct? My ultimate goal is to encrypt the LDAP traffic using TLS. Is that possible with Winbind and Samba? -- Tim Gwynne 978-994-4272 <(978)%20994-4272>