Nope I have rolled my own server and sdk, never did like the umich code :-) Wrt the realm/dn issue I guess my first thought would have been to put some mapping in the directory which is refered to by an attribute in the root-DSE or in some subentry. The current discussion on ldapext about authzid or not to authzid may shed some light on this aswell. What about the basic hdb-entry schema? Cheers Leif