> > as far as I understand you should not be using the shadowAccount > objectClass attributes to get this behaviour but you should be > configuring the password policies instead. Okay, I have spent a couple hours with DS's password policy and do not like it. Why are shadowAccount attributes in the schema and allowed if not to be used? It seems OpenLDAP supports them. -- - Kyle --------------------------------------------- kylet at panix.com http://www.panix.com/~kylet ---------------------------------------------