Hi, I am implementing password policy in my LDAP-based software. When using Fedora DS I encountered several problems (or questions) : 1) when password expired, no request other than modifying its userPassword attribute is allowed. Two requests would have been usefull in my opinion : * Start TLS : I want to enable TLS just before changing my password, but : - Start TLS is not allowed, since it is not the only allowed modify request on userpassword - After Start TLS (when the password is not expired), it seems that the connection become sometimes anonymous, and needs a new bind. I thought only the Stop TLS operation must disable the authentication on the LDAP connection * Password Modify Extended operation : I just thought it would be a good idea to use it to change a password, but it is not allowed 2) when changing the password using a standard ldap modify request, if I send two modify operations in the same request, the first one to remove the old password and the second one to add the new password, do I need to hash the old password for it to be in the same format than in the directory ? 3) when using the Password Modify Extended operation, then at the next logon the server requires the user to change its password ! So I definitly can't use this operation on a server implementing password policy. I believe that in the Fedora DS password policy code this operation is only seen as an administration request, not intended to be done by a user : it is handled as a "force password" request, not a "change password" request. 4) I use the Novell LDAP client API. Any call to ldap_stop_tls_s blocks the calling thread. I don't know if it comes from the server, the client API, or both. It is not too bad since I can just call ldap_unbind and ldap_init instead. Fran?ois