Thanks Jakub (and Stephen Gallagher), the suggestion of setting ldap_user_principal to a non-existant attribute worked perfectly. A mention of this 'trick' in the man page for sssd-ldap would be great, until a feature can be added to parameterize the ldap_user_principal attribute. -- Mike