pwdExpirationTime and other per password value attributes only assume the password attribute can only contain a SINGLE-VALUE. userPassword, however, is defined to allow multiple values. I am unsure of single-valueness of alternatives to userPassword. Regards, Kurt ---- Kurt D. Zeilenga <kurt@boolean.net> Net Boolean Incorporated <http://www.boolean.net/>