--- ldap.c.orig	2007-06-23 17:36:47.000000000 -0400
+++ ldap.c	2007-07-09 23:38:52.672360000 -0400
@@ -56,6 +56,11 @@
 # include <lber.h>
 #endif
 #include <ldap.h>
+//#if defined(HAVE_SASL_SASL_H) 
+#include <sasl/sasl.h>
+//#elif defined(HAVE_SASL_H)
+//#include <sasl.h>
+//#endif
 
 #include "sudo.h"
 #include "parse.h"
@@ -99,6 +104,7 @@
     char *tls_cipher_suite;
     char *tls_certfile;
     char *tls_keyfile;
+    char *use_sasl;
 } ldap_conf;
 
 static void sudo_ldap_update_defaults __P((LDAP *));
@@ -557,6 +563,8 @@
 	    else
 	MATCH_S("sudoers_base", ldap_conf.base)
 	    else
+	MATCH_I("use_sasl",   ldap_conf.use_sasl)
+	    else
 	MATCH_I("sudoers_debug", ldap_conf.debug)
 	    else {
 
@@ -657,6 +665,36 @@
     return(b);
 }
 
+static int
+_nss_ldap_sasl_interact(LDAP *ld, unsigned flags, void *defaults, void *interacts)
+{
+    char *pw = (char *)defaults;
+    sasl_interact_t *interact_iter = (sasl_interact_t *)interacts;
+
+    while (interact_iter->id != SASL_CB_LIST_END) {
+	if (interact_iter->id == SASL_CB_USER) {
+	    if (pw != NULL) {
+		interact_iter->result = pw;
+		interact_iter->len = strlen(pw);
+	    } else if (interact_iter->defresult != NULL) {
+		interact_iter->result = interact_iter->defresult;
+		interact_iter->len = strlen(interact_iter->defresult);
+	    } else {
+		interact_iter->result = "";
+		interact_iter->len = 0;
+	    }
+	} else
+	    return (LDAP_PARAM_ERROR);
+#if SASL_VERSION_MAJOR < 2
+	interact_iter->result = strdup(interact_iter->result);
+	if (interact_iter->result == NULL)
+	    return (LDAP_NO_MEMORY);
+#endif /* SASL_VERSION_MAJOR < 2 */
+	interact_iter++;
+    }
+    return (LDAP_SUCCESS);
+}
+
 char *sudo_ldap_cm_list = NULL;
 size_t sudo_ldap_cm_list_size;
 
@@ -857,10 +895,21 @@
 #endif /* HAVE_LDAP_START_TLS_S */
 
     /* Actually connect */
-    if ((rc = ldap_simple_bind_s(ld, ldap_conf.binddn, ldap_conf.bindpw))) {
-	fprintf(stderr, "ldap_simple_bind_s()=%d : %s\n",
-	    rc, ldap_err2string(rc));
-	return(NULL);
+    if (ldap_conf.use_sasl=estrdup("yes")) {
+	void *pw;
+	if ((rc=ldap_sasl_interactive_bind_s(ld, ldap_conf.binddn,
+	     "GSSAPI", NULL, NULL, LDAP_SASL_QUIET,
+	     _nss_ldap_sasl_interact, pw))) {
+	    fprintf(stderr, "ldap_sasl_interactive_bind_s()=%d : %s\n",
+		rc, ldap_err2string(rc));
+	    return(NULL);
+	}
+    } else {
+	if ((rc = ldap_simple_bind_s(ld, ldap_conf.binddn, ldap_conf.bindpw))) {
+	    fprintf(stderr, "ldap_simple_bind_s()=%d : %s\n",
+		rc, ldap_err2string(rc));
+	    return(NULL);
+	}
     }
     DPRINTF(("ldap_bind() ok"), 1);