>So you _have_ to first search and filter, then use the gathered DN to >either bind() or collect the password. There is no way around. > Agreed. It is very common for ldap objects to be spread through the tree. Particularly in active directory, and Ldap-UserDN is still needed there for group search. -- Sent from my phone. Please excuse brevity and typos.