I've noticed the ExtendedResponse for startTLS does not include the oid of the startTLS extension as rfc 2830 says it should (section 2.1). I've been testing against kurt's server at www.openLDAP.org. - Cameron Morris