userPassword: {SASL}username@xxxxxxxxxxxxxxxxxx
Oh, one thing I forgot to mention. If you are using something like this, you do not allow users to write to userPassword (or they could overwrite this with actual password, and then you are in trouble). Users should use kpasswd to change passwords in Kerberos database instead.
-- Aleksandar Milivojevic <amilivojevic@xxxxxx> Pollard Banknote Limited Systems Administrator 1499 Buffalo Place Tel: (204) 474-2323 ext 276 Winnipeg, MB R3T 1L7