Hi, thanks for the patch, do you have a link to some build instructions for pki ? I looked into the patch and I think I was not clear enough about the bindDnGroup. It is only an attribute of the replica object, not of the replication agreement. The idea is, instead of adding a binddn to each replica object for each incoming replication agreement to define a group of users allowed as replicaBinddns. In the replication agreement you still can set a bindn, if it is a member of the binddngroup. In IPA we want to use GSSAPI and the bind dn is the kerberos ldap principal of the connecting server, the binddngroup contains all ldap principal of the servers in the topology. Regards, Ludwig On 07/17/2015 11:34 PM, Ade Lee wrote: