diff -up source3/lib/smbldap.c.orig source3/lib/smbldap.c
--- source3/lib/smbldap.c.orig	2009-09-09 07:40:43.000000000 -0500
+++ source3/lib/smbldap.c	2009-09-17 02:29:34.000000000 -0500
@@ -439,6 +439,8 @@ ATTRIB_MAP_ENTRY sidmap_attr_list[] = {
 	LDAPMod **mods;
 	int i;
 	int j;
+        bool disset= False;
+        bool disname = False;
 
 	mods = *modlist;
 
@@ -454,6 +456,21 @@ ATTRIB_MAP_ENTRY sidmap_attr_list[] = {
 		return;
 #endif
 
+        if ( !(StrnCaseCmp( attribute , "displayname", strlen("displayname")))) {
+                disname = true;
+                DEBUG(10,("Attribute displayName passed to smbldap_set_mod()\n"));
+        }
+        if ( !(lp_parm_bool(-1, "ldapsam", "displayNameCanWrite", true))) {
+                disset = true;
+                DEBUG(10,("Attribute ldapsam:displayNameCanWrite = false\n"));
+        }
+        if ( disname && disset ) {
+                /* attribute is 'displayname' and ldapsam:displayNameCanWrite = false so bail out. */
+                DEBUG(10,("smbldap_set_mod(): ldapsam:displayNameCanWrite is false, and display name update requested\n"));
+                DEBUG(10, ("Attribute displayName delete therefore ignored.\n"));
+                return;
+        }
+
 	if (mods == NULL) {
 		mods = SMB_MALLOC_P(LDAPMod *);
 		if (mods == NULL) {
@@ -523,6 +540,8 @@ ATTRIB_MAP_ENTRY sidmap_attr_list[] = {
 {
 	char oldval[2048]; /* current largest allowed value is mungeddial */
 	bool existed;
+	bool disset= False;
+	bool disname = False;
 
 	if (attribute == NULL) {
 		/* This can actually happen for ldapsam_compat where we for
@@ -530,6 +549,21 @@ ATTRIB_MAP_ENTRY sidmap_attr_list[] = {
 		return;
 	}
 
+	if ( !(StrnCaseCmp( attribute , "displayname", strlen("displayname")))) {
+		disname = true;
+		DEBUG(10,("Attribute displayName passed to smbldap_make_mod()\n"));
+	}
+	if ( !(lp_parm_bool(-1, "ldapsam", "displayNameCanWrite", true))) {
+		disset = true;
+		DEBUG(10,("Attribute ldapsam:displayNameCanWrite = false\n"));
+	}
+	if ( disname && disset ) {
+		/* attribute is 'displayname' and ldapsam:displayNameCanWrite = false so bail out. */
+		DEBUG(10,("smbldap_make_mod(): ldapsam:displayNameCanWrite is false, and display name update requested\n"));
+		DEBUG(10, ("Attribute displayName change therefore ignored.\n"));
+		return;
+	}
+
 	if (existing != NULL) {
 		existed = smbldap_get_single_attribute(ldap_struct, existing, attribute, oldval, sizeof(oldval));
 	} else {