So After my trials and tribulations with " Referrals for Update Operations" (thanks again, you guys rock!) hence known as "Tim's continuing LDAP Saga and Viking Cha-Cha" I came across "Referential Integrity" in the docs, and boy howdy does it look useful! http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Creating_Directory_Entries-Maintaining_Referential_Integrity.html I had a couple of concerns, before I enabled it that I was hoping people could chime in on! 1) I'd like to have Referential Integrity monitor the memberUid field as well, but I was unclear in the documentation if when scanning the directory if it scans ALL the directories hosted by a given server, or just searches in the directory where the user was deleted? for example, I have two root suffixes, both of which contain users and groups , and more often then we'd like user "foo" exists in both... dc=example,dc=edu dc=dept,dc=example,dc=edu if I delete user uid=foo,ou=People,dc=dept,dc=example,dc=edu would the Referential Integrity plug in know to leave any instance of "uid=foo" and "memberUid=foo" in the dc=example,dc=edu branch alone? 2) I have 2 Masters (set up to be Multi Masters) and 4 Replica's, There are a number of warnings about setting this up only on 1 of the Masters (which shouldn't be a problem), in the case that M1 is configured with the Referential Integrity plug in, and it goes down for some amount of time, and a user is deleted, will the plugin "Catch up" once M1 has been brought back online? Thanks for the input! Tim