>>>>> "Greg" == Greg Hudson via RT writes: Greg> 2. When the LDAP back end loads the source principal entry, it Greg> inserts a tl-data value of type KDB_TL_USERDN containing the Greg> DN. When we put the principal entry, this tl-data value is Greg> extracted and used as the DN to use. We don't want that to Greg> happen; we want the KDB module to construct a new DN based on Greg> the new principal name. I'm not sure that's true. In my directory I have principals stored inside account objects. For example I have uid=hartmans,ou=users,dc=painless-security,dc=com. I really want the principal to stay there even if I rename it. If I'm also renaming the account I'll do that with an ldap operation and that will rename the object. Yes, the principal also needs to get renamed, but I'd be really annoyed if renaming a principal moved a principal contained in an account object out of that object. --Sam