The slapd.conf option "authz-regexp", according to man page is...: Used by the authentication framework to convert simple user names, such as provided by SASL subsystem, to an LDAP DN used for authorization purposes. I am searching how to do the exact reverse thing, and I haven't found an option for it. Specifically, I would like to convert the LDAP dn provided in a simple LDAP bind, to an authentication token (userid, realm, password) that would be passed to the SASL subsystem for the purposes of authentication. The SASL subsystem would then be responsible to do the authentication, just as if SASL authentication ('-Y') were used. Am I correct in assuming that this functionality currently does not exist? Alexandros Vellis