Resolves: 240583

Summary: Added SASL support to ldclt as well as some thread-safety fixes for ns-slapd when using SASL.

10 files changed, 868 insertions, 92 deletions

diff --git a/ldap/servers/slapd/saslbind.c b/ldap/servers/slapd/saslbind.c
index d91cd69b..f7435ce4 100644
--- a/ldap/servers/slapd/saslbind.c
+++ b/ldap/servers/slapd/saslbind.c
@@ -54,38 +54,33 @@ static char *serverfqdn;
 /*
  * utility functions needed by the sasl library
  */
-
-int sasl_os_gethost(char *buf, int len)
-{
-    int rc;
-
-    rc = gethostname(buf, len);
-    LDAPDebug(LDAP_DEBUG_TRACE, "sasl_os_gethost %s\n", buf, 0, 0);
-    return ( rc == 0 ? SASL_OK : SASL_FAIL );
-}
-
-void *sasl_mutex_alloc(void)
+void *nssasl_mutex_alloc(void)
 {
     return PR_NewLock();
 }
 
-int sasl_mutex_lock(void *mutex)
+int nssasl_mutex_lock(void *mutex)
 {
     PR_Lock(mutex);
     return SASL_OK;
 }
 
-int sasl_mutex_unlock(void *mutex)
+int nssasl_mutex_unlock(void *mutex)
 {
     if (PR_Unlock(mutex) == PR_SUCCESS) return SASL_OK;
     return SASL_FAIL;
 }
 
-void sasl_mutex_free(void *mutex)
+void nssasl_mutex_free(void *mutex)
 {
     PR_DestroyLock(mutex);
 }
 
+void nssasl_free(void *ptr)
+{
+    slapi_ch_free(&ptr);
+}
+
 /* 
  * sasl library callbacks
  */
@@ -603,6 +598,20 @@ int ids_sasl_init(void)
     LDAPDebug(LDAP_DEBUG_TRACE, "sasl service fqdn is: %s\n", 
                   serverfqdn, 0, 0);
 
+    /* Set SASL memory allocation callbacks */
+    sasl_set_alloc(
+        (sasl_malloc_t *)slapi_ch_malloc,
+        (sasl_calloc_t *)slapi_ch_calloc,
+        (sasl_realloc_t *)slapi_ch_realloc,
+        (sasl_free_t *)nssasl_free );
+
+    /* Set SASL mutex callbacks */
+    sasl_set_mutex(
+        (sasl_mutex_alloc_t *)nssasl_mutex_alloc,
+        (sasl_mutex_lock_t *)nssasl_mutex_lock,
+        (sasl_mutex_unlock_t *)nssasl_mutex_unlock,
+        (sasl_mutex_free_t *)nssasl_mutex_free);
+
     result = sasl_server_init(ids_sasl_callbacks, "iDS");
 
     if (result != SASL_OK) {
diff --git a/ldap/servers/slapd/tools/ldaptool-sasl.c b/ldap/servers/slapd/tools/ldaptool-sasl.c
new file mode 100755
index 00000000..3658bda9
--- /dev/null
+++ b/ldap/servers/slapd/tools/ldaptool-sasl.c
@@ -0,0 +1,371 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is Sun LDAP C SDK.
+ *
+ * The Initial Developer of the Original Code is Sun Microsystems, Inc.
+ *
+ * Portions created by Sun Microsystems, Inc are Copyright (C) 2005
+ * Sun Microsystems, Inc. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+/*
+ * File for ldaptool routines for SASL
+ */
+ 
+#include <ldap.h>
+#include "ldaptool.h"
+#include "ldaptool-sasl.h"
+#include <sasl.h>
+#include <stdio.h>
+
+#if defined(HPUX)
+#include <sys/termios.h>  /* for tcgetattr and tcsetattr */
+#endif /* HPUX */
+
+#define SASL_PROMPT	"Interact"
+
+typedef struct {
+        char *mech;
+        char *authid;
+        char *username;
+        char *passwd;
+        char *realm;
+} ldaptoolSASLdefaults;
+
+static int get_default(ldaptoolSASLdefaults *defaults, sasl_interact_t *interact, unsigned flags);
+static int get_new_value(sasl_interact_t *interact, unsigned flags);
+
+/* WIN32 does not have getlogin() so roll our own */
+#if defined( _WINDOWS ) || defined( _WIN32 )
+#include "LMCons.h"
+static char *getlogin()
+{
+	LPTSTR lpszSystemInfo; /* pointer to system information string */
+	DWORD cchBuff = UNLEN;   /* size of user name */
+	static TCHAR tchBuffer[UNLEN + 1]; /* buffer for expanded string */
+
+	lpszSystemInfo = tchBuffer;
+	GetUserName(lpszSystemInfo, &cchBuff);
+
+	return lpszSystemInfo;
+}
+#endif /* _WINDOWS || _WIN32 */
+
+/*
+  Note that it is important to use "" (the empty string, length 0) as the default
+  username value for non-interactive cases.  This allows the sasl library to find the best
+  possible default.  For example, if using GSSAPI, you want the default value for
+  the username to be extracted from the Kerberos tgt.  The sasl library will do
+  that for you if you set the default username to "".
+*/
+void *
+ldaptool_set_sasl_defaults ( LDAP *ld, unsigned flags, char *mech, char *authid, char *username,
+				 char *passwd, char *realm )
+{
+	ldaptoolSASLdefaults	*defaults;
+	char			*login = NULL;
+
+	if ((defaults = calloc(sizeof(ldaptoolSASLdefaults), 1)) == NULL) {
+		return NULL;
+	}
+
+	/* Try to get the login name */
+	if ((login = getlogin()) == NULL) {
+		login = "";
+	}
+
+	if (mech) {
+		defaults->mech = strdup(mech);
+	} else {
+		ldap_get_option(ld, LDAP_OPT_X_SASL_MECH, &defaults->mech);
+	}
+
+	if (authid) { /* use explicit passed in value */
+		defaults->authid = strdup(authid);
+	} else { /* use option value if any */
+		ldap_get_option(ld, LDAP_OPT_X_SASL_AUTHCID, &defaults->authid);
+		if (!defaults->authid) {
+			/* Default to the login name that is running the command */
+			defaults->authid = strdup( login );
+		}
+	}
+
+	if (username) { /* use explicit passed in value */
+		defaults->username = strdup(username);
+	} else { /* use option value if any */
+		ldap_get_option(ld, LDAP_OPT_X_SASL_AUTHZID, &defaults->username);
+		if (!defaults->username && (flags == LDAP_SASL_INTERACTIVE)) {
+			/* Default to the login name that is running the command */
+			defaults->username = strdup( login );
+		} else if (!defaults->username) { /* not interactive - use default sasl value */
+			defaults->username = strdup( "" );
+		}
+	}
+
+	if (passwd)
+		defaults->passwd = strdup (passwd);
+	else
+		defaults->passwd = strdup ("");
+
+	if (realm) {
+		defaults->realm = realm;
+	} else {
+		ldap_get_option(ld, LDAP_OPT_X_SASL_REALM, &defaults->realm);
+	}
+
+	return defaults;
+}
+
+void
+ldaptool_free_defaults( void *defaults ) {
+	ldaptoolSASLdefaults *sasl_defaults = defaults;
+
+	if (sasl_defaults) {
+		if (sasl_defaults->mech)
+			free (sasl_defaults->mech);
+
+		if (sasl_defaults->authid)
+			free (sasl_defaults->authid);
+
+		if (sasl_defaults->username)
+			free (sasl_defaults->username);
+
+		if (sasl_defaults->passwd)
+			free (sasl_defaults->passwd);
+
+		free (sasl_defaults);
+		sasl_defaults = NULL;
+	}
+}
+
+int
+ldaptool_sasl_interact( LDAP *ld, unsigned flags, void *defaults, void *prompts ) {
+	sasl_interact_t		*interact = NULL;
+	ldaptoolSASLdefaults	*sasldefaults = defaults;
+	int			rc;
+
+	if (prompts == NULL) {
+		return (LDAP_PARAM_ERROR);
+	}
+
+	for (interact = prompts; interact->id != SASL_CB_LIST_END; interact++) {
+		/* Obtain the default value */
+		if ((rc = get_default(sasldefaults, interact, flags)) != LDAP_SUCCESS) {
+			return (rc);
+		}
+		/* always prompt in interactive mode - only prompt in automatic mode
+		   if there is no default - never prompt in quiet mode */
+		if ( (flags == LDAP_SASL_INTERACTIVE) ||
+			 ((interact->result == NULL) && (flags == LDAP_SASL_AUTOMATIC)) ) {
+			if ((rc = get_new_value(interact, flags)) != LDAP_SUCCESS)
+				return (rc);
+		}
+
+	}
+	return (LDAP_SUCCESS);
+}
+
+static int 
+get_default(ldaptoolSASLdefaults *defaults, sasl_interact_t *interact, unsigned flags) {
+	const char	*defvalue = interact->defresult;
+
+	if (defaults != NULL) {
+		switch( interact->id ) {
+		case SASL_CB_AUTHNAME:
+			defvalue = defaults->authid;
+			break;
+		case SASL_CB_USER:
+			defvalue = defaults->username;
+			break;
+		case SASL_CB_PASS:
+			defvalue = defaults->passwd;
+			break;
+		case SASL_CB_GETREALM:
+			defvalue = defaults->realm;
+			break;
+		}
+	}
+
+	if (defvalue != NULL) {
+		interact->result = defvalue;
+		if ((char *)interact->result == NULL)
+			return (LDAP_NO_MEMORY);
+		interact->len = strlen((char *)(interact->result));
+	}
+	return (LDAP_SUCCESS);
+}
+
+/*
+ * This function should always be called in LDAP_SASL_INTERACTIVE mode, or
+ * in LDAP_SASL_AUTOMATIC mode when there is no default value.  This function
+ * will print out the challenge, default value, and prompt to get the value.
+ * If there is a default value, the user can just press Return/Enter at the
+ * prompt to use the default value.  If there is no default, and the user
+ * didn't enter anything, this will return "" (the empty string) as the
+ * value.
+ */
+static int 
+get_new_value(sasl_interact_t *interact, unsigned flags) {
+	char	*newvalue = NULL, str[1024];
+	int	len = 0;
+
+	if ((interact->id == SASL_CB_ECHOPROMPT) || (interact->id == SASL_CB_NOECHOPROMPT)) {
+		if (interact->challenge) {
+			fprintf(stderr, "Challenge: %s\n", interact->challenge);
+		}
+	}
+
+	if (interact->result) {
+		fprintf(stderr, "Default: %s\n", (char *)interact->result);
+	}
+
+	snprintf(str, sizeof(str), "%s:", interact->prompt?interact->prompt:SASL_PROMPT);
+	str[sizeof(str)-1] = '\0';
+
+	/* Get the new value */
+	if ((interact->id == SASL_CB_PASS) || (interact->id == SASL_CB_NOECHOPROMPT)) {
+		if ((newvalue = ldaptool_getpass( str )) == NULL) {
+			return (LDAP_UNAVAILABLE);
+		}
+		len = strlen(newvalue);
+	} else {
+		fputs(str, stderr);
+		if ((newvalue = fgets(str, sizeof(str), stdin)) == NULL) {
+			return (LDAP_UNAVAILABLE);
+		}
+		len = strlen(str);
+		if ((len > 0) && (str[len - 1] == '\n')) {
+			str[len - 1] = '\0';
+			len--;
+		}
+	}
+
+	if (len > 0) { /* user typed in something - use it */
+		if (interact->result) {
+			free((void *)interact->result);
+		}
+		interact->result = strdup(newvalue);
+		memset(newvalue, '\0', len);
+
+		if (interact->result == NULL) {
+			return (LDAP_NO_MEMORY);
+		}
+		interact->len = len;
+	} else { /* use default or "" */
+		if (!interact->result) {
+			interact->result = "";
+		}
+		interact->len = strlen(interact->result);
+	}
+	return (LDAP_SUCCESS);
+}
+
+/*
+ * Implements getpass like functionality for supported platforms.
+ *
+ * It is the callers responsibility to zero out the memory used
+ * to store the password and to free it when it's finished with
+ * it.
+ */
+char *
+ldaptool_getpass ( const char *prompt )
+{
+    char *pass;
+
+#if defined(_WIN32)
+    char pbuf[257];
+    fputs(prompt,stdout);
+    fflush(stdout);
+    if (fgets(pbuf,256,stdin) == NULL) {
+        pass = NULL;
+    } else {
+        char *tmp;
+
+        tmp = strchr(pbuf,'\n');
+        if (tmp) *tmp = '\0';
+        tmp = strchr(pbuf,'\r');
+        if (tmp) *tmp = '\0';
+        pass = strdup(pbuf);
+    }
+#else
+#if defined(SOLARIS)
+    /* 256 characters on Solaris */
+    pass = (char *)getpassphrase(prompt);
+#else
+#if defined(HPUX)
+    /* HP-UX has deprecated their password asking function, so we have
+     * to resort to doing it the hard way . . . */
+    char pbuf[257];
+    struct termios termstat;
+    tcflag_t savestat;
+    /* Only perform terminal manipulation if stdin is a terminal */
+    int havetty = isatty(fileno(stdin));
+
+    fputs(prompt, stdout);
+    fflush(stdout);
+
+    if(havetty) {
+        if(tcgetattr(fileno(stdin), &termstat) < 0) {
+            perror( "tcgetattr" );
+            exit( LDAP_LOCAL_ERROR );
+        }
+        savestat = termstat.c_lflag;
+        termstat.c_lflag &= ~(ECHO | ECHOE | ECHOK);
+        termstat.c_lflag |= (ICANON | ECHONL);
+        if(tcsetattr(fileno(stdin), TCSANOW, &termstat) < 0) {
+            perror( "tcsetattr" );
+            exit( LDAP_LOCAL_ERROR );
+        }
+    }
+    if (fgets(pbuf,256,stdin) == NULL) {
+        pass = NULL;
+    } else {
+        char *tmp;
+        pass = NULL;
+        tmp = strchr(pbuf,'\n');
+        if (tmp)
+            *tmp = '\0';
+        pass = strdup(pbuf);
+    }
+    if(havetty) {
+        termstat.c_lflag = savestat;
+        if(tcsetattr(fileno(stdin), TCSANOW, &termstat) < 0) {
+            perror( "tcgetattr" );
+            exit( LDAP_LOCAL_ERROR );
+        }
+    }
+#else
+    /* limited to 16 chars on Tru64, 32 on AIX */
+    pass = (char *)getpass(prompt);
+#endif
+#endif
+#endif
+
+    return pass;
+}
diff --git a/ldap/servers/slapd/tools/ldaptool-sasl.h b/ldap/servers/slapd/tools/ldaptool-sasl.h
new file mode 100644
index 00000000..03556152
--- /dev/null
+++ b/ldap/servers/slapd/tools/ldaptool-sasl.h
@@ -0,0 +1,45 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is Sun LDAP C SDK.
+ *
+ * The Initial Developer of the Original Code is Sun Microsystems, Inc.
+ *
+ * Portions created by Sun Microsystems, Inc are Copyright (C) 2005
+ * Sun Microsystems, Inc. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+/*
+ * Include file for ldaptool routines for SASL
+ */
+
+void *ldaptool_set_sasl_defaults ( LDAP *ld, unsigned flags, char *mech, char *authid, char *username, char *passwd, char *realm ); 
+void ldaptool_free_defaults( void *defaults );
+int ldaptool_sasl_interact ( LDAP *ld, unsigned flags, void *defaults, void *p );
+char *
+ldaptool_getpass ( const char *prompt );
diff --git a/ldap/servers/slapd/tools/ldaptool.h b/ldap/servers/slapd/tools/ldaptool.h
new file mode 100644
index 00000000..e85c4d0f
--- /dev/null
+++ b/ldap/servers/slapd/tools/ldaptool.h
@@ -0,0 +1,208 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ * 
+ * The contents of this file are subject to the Mozilla Public License Version 
+ * 1.1 (the "License"); you may not use this file except in compliance with 
+ * the License. You may obtain a copy of the License at 
+ * http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ * 
+ * The Original Code is Mozilla Communicator client code, released
+ * March 31, 1998.
+ * 
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1998-1999
+ * the Initial Developer. All Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the terms of
+ * either of the GNU General Public License Version 2 or later (the "GPL"),
+ * or the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ * 
+ * ***** END LICENSE BLOCK ***** */
+
+#ifndef _LDAPTOOL_H
+#define _LDAPTOOL_H
+
+/* XXX:mhein The following is a workaround for the redefinition of */
+/*           const problem on OSF.  Fix to be provided by NSS */
+/*           This is a pretty benign workaround for us which */
+/*           should not cause problems in the future even if */
+/*           we forget to take it out :-) */
+
+#ifdef OSF1V4D
+#ifndef __STDC__
+#  define __STDC__
+#endif /* __STDC__ */
+#endif /* OSF1V4D */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <errno.h>
+
+#ifdef AIX
+#include <strings.h>
+#endif
+
+
+#ifdef SCOOS
+#include <sys/types.h>
+#endif
+
+#ifdef _WINDOWS
+#define WIN32_LEAN_AND_MEAN
+#include <windows.h>
+extern int getopt (int argc, char *const *argv, const char *optstring);
+#include <io.h>	/* for _mktemp() */
+#define LDAPTOOL_MKTEMP( p )	_mktemp( p )
+#else
+#include <sys/file.h>
+#include <sys/stat.h>
+#include <unistd.h>
+
+#define LDAPTOOL_MKTEMP( p )	mktemp( p )
+#endif
+
+#ifdef LINUX
+#include <getopt.h>	/* not always included from unistd.h */
+#endif
+
+#include <ctype.h>
+
+#ifndef SCOOS
+#include <sys/types.h>
+#endif
+
+#include <sys/stat.h>
+#include <fcntl.h>
+
+#if defined(NET_SSL)
+#include <ssl.h>
+#endif
+
+#include <portable.h>
+#include <ldap.h>
+#include <ldaplog.h>
+#include <ldif.h>
+
+#if defined(NET_SSL)
+#include <ldap_ssl.h>
+#endif
+
+#include <ldappr.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/*
+ * shared macros, structures, etc.
+ */
+#define LDAPTOOL_RESULT_IS_AN_ERROR( rc ) \
+		( (rc) != LDAP_SUCCESS && (rc) != LDAP_COMPARE_TRUE \
+		&& (rc) != LDAP_COMPARE_FALSE )
+
+#define LDAPTOOL_DEFSEP		"="	/* used by ldapcmp and ldapsearch */
+#define LDAPTOOL_DEFHOST	"localhost"
+#define LDAPTOOL_DEFSSLSTRENGTH	LDAPSSL_AUTH_CERT
+#define LDAPTOOL_DEFCERTDBPATH	"."
+#define LDAPTOOL_DEFKEYDBPATH	"."
+#define LDAPTOOL_DEFREFHOPLIMIT		5
+
+#define LDAPTOOL_SAFEREALLOC( ptr, size )  ( ptr == NULL ? malloc( size ) : \
+						realloc( ptr, size ))
+/* this defines the max number of control requests for the tools */
+#define CONTROL_REQUESTS 50
+
+/*
+ * globals (defined in common.c)
+ */
+extern char		*ldaptool_host;
+extern char		*ldaptool_host2;
+extern int		ldaptool_port;
+extern int		ldaptool_port2;
+extern int		ldaptool_verbose;
+extern int		ldaptool_not;
+extern int		ldaptool_nobind;
+extern int		ldaptool_noconv_passwd;
+extern char		*ldaptool_progname;
+extern FILE		*ldaptool_fp;
+extern char		*ldaptool_charset;
+extern LDAPControl	*ldaptool_request_ctrls[];
+#ifdef LDAP_DEBUG
+extern int ldaptool_dbg_lvl;
+#define LDAPToolDebug(lvl,fmt,arg1,arg2,arg3) if (lvl & ldaptool_dbg_lvl) { fprintf(stderr,fmt,arg1,arg2,arg3); }
+#else
+#define LDAPToolDebug(lvl,fmt,arg1,arg2,arg3)
+#endif /* LDAP_DEBUG */
+
+
+/*
+ * function prototypes
+ */
+void ldaptool_common_usage( int two_hosts );
+int ldaptool_process_args( int argc, char **argv, char *extra_opts,
+	int two_hosts, void (*extra_opt_callback)( int option, char *optarg ));
+LDAP *ldaptool_ldap_init( int second_host );
+void ldaptool_bind( LDAP *ld );
+void ldaptool_cleanup( LDAP *ld );
+int ldaptool_print_lderror( LDAP *ld, char *msg, int check4ssl );
+#define LDAPTOOL_CHECK4SSL_NEVER	0
+#define LDAPTOOL_CHECK4SSL_ALWAYS	1
+#define LDAPTOOL_CHECK4SSL_IF_APPROP	2	/* if appropriate */
+LDAPControl *ldaptool_create_manage_dsait_control( void );
+void ldaptool_print_referrals( char **refs );
+int ldaptool_print_extended_response( LDAP *ld, LDAPMessage *res, char *msg );
+LDAPControl *ldaptool_create_proxyauth_control( LDAP *ld );
+LDAPControl *ldaptool_create_geteffectiveRights_control ( LDAP *ld,
+        const char *authzid, const char **attrlist );
+void ldaptool_add_control_to_array( LDAPControl *ctrl, LDAPControl **array);
+void ldaptool_reset_control_array( LDAPControl **array );
+char *ldaptool_get_tmp_dir( void );
+char *ldaptool_local2UTF8( const char *s, const char *desc );
+char *ldaptool_getpass( const char *prompt );
+char *ldaptool_read_password( FILE *mod_password_fp );
+int ldaptool_berval_is_ascii( const struct berval *bvp );
+int ldaptool_sasl_bind_s( LDAP *ld, const char *dn, const char *mechanism,
+        const struct berval *cred, LDAPControl **serverctrls,
+        LDAPControl **clientctrls, struct berval **servercredp, char *msg );
+int ldaptool_simple_bind_s( LDAP *ld, const char *dn, const char *passwd,
+	LDAPControl **serverctrls, LDAPControl **clientctrls, char *msg );
+int ldaptool_add_ext_s( LDAP *ld, const char *dn, LDAPMod **attrs,
+        LDAPControl **serverctrls, LDAPControl **clientctrls, char *msg );
+int ldaptool_modify_ext_s( LDAP *ld, const char *dn, LDAPMod **mods,
+        LDAPControl **serverctrls, LDAPControl **clientctrls, char *msg );
+int ldaptool_delete_ext_s( LDAP *ld, const char *dn, LDAPControl **serverctrls,
+        LDAPControl **clientctrls, char *msg );
+int ldaptool_rename_s(  LDAP *ld, const char *dn, const char *newrdn,
+        const char *newparent, int deleteoldrdn, LDAPControl **serverctrls,
+        LDAPControl **clientctrls, char *msg );
+int ldaptool_compare_ext_s( LDAP *ld, const char *dn, const char *attrtype,
+	    const struct berval *bvalue, LDAPControl **serverctrls,
+	    LDAPControl **clientctrls, char *msg );
+int ldaptool_boolean_str2value ( const char *s, int strict );
+int ldaptool_parse_ctrl_arg ( char *ctrl_arg, char sep, char **ctrl_oid, 
+	    int *ctrl_criticality, char **ctrl_value, int *vlen);
+FILE *ldaptool_open_file ( const char *filename, const char * mode);
+
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* LDAPTOOL_H */
diff --git a/ldap/servers/slapd/tools/ldclt/ldapfct.c b/ldap/servers/slapd/tools/ldclt/ldapfct.c
index c9078e66..4ba5965d 100644
--- a/ldap/servers/slapd/tools/ldclt/ldapfct.c
+++ b/ldap/servers/slapd/tools/ldclt/ldapfct.c
@@ -254,6 +254,9 @@ dd/mm/yy | Author	| Comments
 #include "ldclt.h"	/* This tool's include file */
 #include "utils.h"	/* Utilities functions */		/*JLS 14-11-00*/
 
+#include <sasl.h>
+#include "ldaptool-sasl.h"
+
 
 
 
@@ -656,7 +659,6 @@ connectToServer (
    */
   if (tttctx->ldapCtx == NULL)
   {
-#ifdef LDCLTSSL
     /*
      * SSL is enabled ?
      */
@@ -703,7 +705,6 @@ connectToServer (
 	 }
       }
     } else {
-#endif
       /*
        * connection initialization in normal, unencrypted mode
        */
@@ -719,9 +720,7 @@ connectToServer (
 	fflush (stdout);
 	return (-1);
       }
-#ifdef LDCLTSSL
     }
-#endif
 
     if (mctx.mode & LDAP_V2)
       v2v3 = LDAP_VERSION2;
@@ -752,7 +751,8 @@ connectToServer (
    *        below in this function ?
    *        03-05-01 : no cleanup I think, cf M2_RNDBINDFILE
    */
-  if ((mctx.bindDN == NULL) && (!(mctx.mod2 & M2_RNDBINDFILE)))	/*JLS 03-05-01*/
+  if ((mctx.bindDN == NULL) && ((!(mctx.mod2 & M2_RNDBINDFILE))
+       && (!(mctx.mod2 & M2_SASLAUTH))))
   {								/*JLS 05-03-01*/
     tttctx->binded = 1;						/*JLS 05-03-01*/
     return (0);							/*JLS 05-03-01*/
@@ -761,7 +761,6 @@ connectToServer (
   /*
    * Maybe we should bind ?
    */
-#ifdef LDCLTSSL
   /*
    * for SSL client authentication, SASL BIND is used
    */
@@ -804,10 +803,50 @@ connectToServer (
 	return (-1);						/*JLS 18-12-00*/
       }								/*JLS 18-12-00*/
     }
-  }
-  else
-  {
-#endif /* LDCLTSSL */
+  } else if ((mctx.mod2 & M2_SASLAUTH) && ((!(tttctx->binded)) ||
+                                          (mctx.mode & BIND_EACH_OPER))) {
+    void *defaults;
+    LDAPControl **rctrls = NULL;
+
+    if ( mctx.sasl_mech == NULL) {
+      fprintf( stderr, "Please specify the SASL mechanism name when "
+                           "using SASL options\n");
+      return (-1);
+    }
+
+    if ( mctx.sasl_secprops != NULL) {
+      ret = ldap_set_option( tttctx->ldapCtx, LDAP_OPT_X_SASL_SECPROPS,
+                             (void *) mctx.sasl_secprops );
+
+      if ( ret != LDAP_SUCCESS ) {
+        fprintf( stderr, "Unable to set LDAP_OPT_X_SASL_SECPROPS: %s\n",
+                          mctx.sasl_secprops );
+        return (-1);
+      }
+    }
+
+    defaults = ldaptool_set_sasl_defaults( tttctx->ldapCtx, mctx.sasl_flags, mctx.sasl_mech,
+              mctx.sasl_authid, mctx.sasl_username, mctx.passwd, mctx.sasl_realm );
+    if (defaults == NULL) {
+      perror ("malloc");
+      exit (LDAP_NO_MEMORY);
+    }
+
+    ret = ldap_sasl_interactive_bind_ext_s( tttctx->ldapCtx, mctx.bindDN, mctx.sasl_mech,
+                       NULL, NULL, mctx.sasl_flags,
+                       ldaptool_sasl_interact, defaults, NULL );
+    if (ret != LDAP_SUCCESS ) {
+      tttctx->binded = 0;
+      if (!(mctx.mode & QUIET))
+        ldap_perror( tttctx->ldapCtx, "Bind Error" );
+      if (addErrorStat (ret) < 0)
+        return (-1);
+    } else {
+        tttctx->binded = 1;
+    }
+
+    ldaptool_free_defaults( defaults );
+  } else {
     if (((mctx.bindDN != NULL) || (mctx.mod2 & M2_RNDBINDFILE)) &&  /*03-05-01*/
 	((!(tttctx->binded)) || (mctx.mode & BIND_EACH_OPER)))
     {
@@ -857,9 +896,7 @@ connectToServer (
 	}							/*JLS 18-12-00*/
       }
     }
-#ifdef LDCLTSSL
   }
-#endif
 
   /*
    * Normal end
@@ -1769,7 +1806,6 @@ createMissingNodes (
     if (mctx.mode & VERY_VERBOSE)				/*JLS 14-12-00*/
       printf ("ldclt[%d]: T%03d: must connect to the server.\n",
                mctx.pid, tttctx->thrdNum);
-#ifdef LDCLTSSL
     /*
      * SSL is enabled ?
      */
@@ -1815,7 +1851,6 @@ createMissingNodes (
 	 }
       }
     } else {
-#endif
       /*
        * connection initialization in normal, unencrypted mode
        */
@@ -1827,9 +1862,7 @@ createMissingNodes (
 	fflush (stdout);
 	return (-1);
       }
-#ifdef LDCLTSSL
     }
-#endif
 
     if (mctx.mode & LDAP_V2)
       v2v3 = LDAP_VERSION2;
@@ -1848,7 +1881,6 @@ createMissingNodes (
     /*
      * Bind to the server
      */
-#ifdef LDCLTSSL
   /*
    * for SSL client authentication, SASL BIND is used
    */
@@ -1867,7 +1899,6 @@ createMissingNodes (
       return (-1);
     }
   } else {
-#endif
     ret = ldap_simple_bind_s (cnx, tttctx->bufBindDN, tttctx->bufPasswd);
     if (ret != LDAP_SUCCESS)
     {
@@ -1882,9 +1913,7 @@ createMissingNodes (
       return (-1);
     }
   }
-#ifdef LDCLTSSL
   }
-#endif
 
   /*
    * Create the entry
@@ -3276,7 +3305,9 @@ doBindOnly (
    */
   if (connectToServer (tttctx) < 0)
     return (-1);
-  if (!(tttctx->binded))
+
+  /* don't count failed binds unless counteach option is used */
+  if (!(tttctx->binded) && !(mctx.mode & COUNT_EACH))
     return (0);
 
   if (incrementNbOpers (tttctx) < 0)
diff --git a/ldap/servers/slapd/tools/ldclt/ldclt.c b/ldap/servers/slapd/tools/ldclt/ldclt.c
index 2c7048a0..c4292467 100644
--- a/ldap/servers/slapd/tools/ldclt/ldclt.c
+++ b/ldap/servers/slapd/tools/ldclt/ldclt.c
@@ -1644,7 +1644,6 @@ basicInit (void)
     }
   }
 
-#ifdef LDCLTSSL
   /*
    * SSL is enabled ?
    */
@@ -1677,7 +1676,6 @@ basicInit (void)
       }
     }
   }
-#endif /* LDCLTSSL */
 
   /*
    * Specific scenarios initialization...
@@ -1753,6 +1751,8 @@ dumpModeValues (void)
     printf (" ssl");
   if (mctx.mode & CLTAUTH)
     printf (" ssl_with_client_authentication");                 /* BK 23-11-00*/
+  if (mctx.mod2 & M2_SASLAUTH)
+    printf (" saslauth");
   if (mctx.mode & SMOOTHSHUTDOWN)				/*JLS 17-11-00*/
     printf (" smoothshutdown");					/*JLS 17-11-00*/
   if (mctx.mode & DONT_SLEEP_DOWN)				/*JLS 14-03-01*/
@@ -1857,6 +1857,104 @@ decodeScopeParams (
 
 
 
+/* ****************************************************************************
+	FUNCTION :	saslSetParam
+	PURPOSE :	Sets SASL parameters
+	INPUT :		saslarg	= value to decode
+	OUTPUT :	None.
+	RETURN :	-1 if error, 0 otherwise.
+	DESCRIPTION :	Copied from Mozilla LDAP C SDK (common.c)
+ *****************************************************************************/
+int
+saslSetParam (
+	char	*saslarg)
+{
+  char *attr = NULL;
+  int argnamelen;
+
+  if (saslarg == NULL) {
+    fprintf (stderr, "Error: missing SASL argument\n");
+    return (-1);
+  }
+
+  attr = strchr(saslarg, '=');
+  if (attr == NULL) {
+     fprintf( stderr, "Didn't find \"=\" character in %s\n", saslarg);
+     return (-1);
+  }
+
+  argnamelen = attr - saslarg;
+  attr++;
+
+  if (!strncasecmp(saslarg, "secProp", argnamelen)) {
+    if ( mctx.sasl_secprops != NULL ) {
+      fprintf( stderr, "secProp previously specified\n");
+      return (-1);
+    }
+    if (( mctx.sasl_secprops = strdup(attr)) == NULL ) {
+      perror ("malloc");
+      exit (LDAP_NO_MEMORY);
+    }
+  } else if (!strncasecmp(saslarg, "realm", argnamelen)) {
+    if ( mctx.sasl_realm != NULL ) {
+      fprintf( stderr, "Realm previously specified\n");
+      return (-1);
+    }
+    if (( mctx.sasl_realm = strdup(attr)) == NULL ) {
+      perror ("malloc");
+      exit (LDAP_NO_MEMORY);
+    }
+  } else if (!strncasecmp(saslarg, "authzid", argnamelen)) {
+    if (mctx.sasl_username != NULL) {
+      fprintf( stderr, "Authorization name previously specified\n");
+      return (-1);
+    }
+    if (( mctx.sasl_username = strdup(attr)) == NULL ) {
+      perror ("malloc");
+      exit (LDAP_NO_MEMORY);
+    }
+  } else if (!strncasecmp(saslarg, "authid", argnamelen)) {
+    if ( mctx.sasl_authid != NULL ) {
+      fprintf( stderr, "Authentication name previously specified\n");
+      return (-1);
+    }
+    if (( mctx.sasl_authid = strdup(attr)) == NULL) {
+      perror ("malloc");
+      exit (LDAP_NO_MEMORY);
+    }
+  } else if (!strncasecmp(saslarg, "mech", argnamelen)) {
+    if ( mctx.sasl_mech != NULL ) {
+      fprintf( stderr, "Mech previously specified\n");
+      return (-1);
+    }
+    if (( mctx.sasl_mech = strdup(attr)) == NULL) {
+      perror ("malloc");
+      exit (LDAP_NO_MEMORY);
+    }
+  } else if (!strncasecmp(saslarg, "flags", argnamelen)) {
+    int len = strlen(attr);
+    if (len && !strncasecmp(attr, "automatic", len)) {
+      mctx.sasl_flags = LDAP_SASL_AUTOMATIC;
+    } else if (len && !strncasecmp(attr, "interactive", len)) {
+      mctx.sasl_flags = LDAP_SASL_INTERACTIVE;
+    } else if (len && !strncasecmp(attr, "quiet", len)) {
+      mctx.sasl_flags = LDAP_SASL_QUIET;
+    } else {
+      fprintf(stderr, "Invalid SASL flags value [%s]: must be one of "
+              "automatic, interactive, or quiet\n", attr);
+      return (-1);
+    }
+  } else {
+    fprintf (stderr, "Invalid SASL attribute name %s\n", saslarg);
+    return (-1);
+  }
+  return 0;
+}
+
+
+
+
+
 					/* New function */	/*JLS 08-03-01*/
 /* ****************************************************************************
 	FUNCTION :	decodeReferralParams
@@ -2480,46 +2578,52 @@ main (
   /*
    * Initialization
    */
-  mctx.attrlistNb   = 0;					/*JLS 15-03-01*/
-  mctx.attrsonly    = DEF_ATTRSONLY;				/*JLS 03-01-01*/
-  mctx.baseDN       = "o=sun,c=us";
-  mctx.baseDNLow    = -1;					/*JLS 13-11-00*/
-  mctx.baseDNHigh   = -1;					/*JLS 13-11-00*/
-  mctx.bindDN	    = NULL;
-  mctx.bindDNLow    = -1;					/*JLS 05-01-01*/
-  mctx.bindDNHigh   = -1;					/*JLS 05-01-01*/
-  mctx.dlf	    = NULL;					/*JLS 23-03-01*/
-  mctx.exitStatus   = EXIT_OK;					/*JLS 25-08-00*/
-  mctx.filter	    = NULL;
-  mctx.globStatsCnt = DEF_GLOBAL_NB;				/*JLS 08-08-00*/
-  mctx.hostname	    = "localhost";
-  mctx.ignErrNb     = 0;
-  mctx.images	    = NULL;					/*JLS 17-11-00*/
-  mctx.imagesDir    = DEF_IMAGES_PATH;				/*JLS 16-11-00*/
-  mctx.inactivMax   = DEF_INACTIV_MAX;
-  mctx.maxErrors    = DEF_MAX_ERRORS;
-  mctx.mode	    = NOTHING;
-  mctx.mod2	    = NOTHING;
-  mctx.nbNoActivity = 0;
-  mctx.nbSamples    = -1;
-  mctx.nbThreads    = DEF_NB_THREADS;
-  mctx.opListTail   = NULL;
-  mctx.passwd	    = NULL;
-  mctx.pid	    = getpid();
-  mctx.port	    = DEF_PORT;
-  mctx.randomLow    = -1;
-  mctx.randomHigh   = -1;
-  mctx.referral	    = DEF_REFERRAL;				/*JLS 08-03-01*/
-  mctx.sampling     = DEF_SAMPLING;
-  mctx.scope	    = DEF_SCOPE;
-  mctx.slaveConn    = 0;
-  mctx.slavesNb     = 0;
-  mctx.timeout	    = DEF_TIMEOUT;
-  mctx.totalReq	    = -1;
-  mctx.waitSec      = 0;
-  s1ctx.cnxduration = SCALAB01_DEF_CNX_DURATION;		/*JLS 12-01-01*/
-  s1ctx.maxcnxnb    = SCALAB01_DEF_MAX_CNX;			/*JLS 12-01-01*/
-  s1ctx.wait        = SCALAB01_DEF_WAIT_TIME;			/*JLS 12-01-01*/
+  mctx.attrlistNb    = 0;					/*JLS 15-03-01*/
+  mctx.attrsonly     = DEF_ATTRSONLY;				/*JLS 03-01-01*/
+  mctx.baseDN        = "dc=example,dc=com";
+  mctx.baseDNLow     = -1;					/*JLS 13-11-00*/
+  mctx.baseDNHigh    = -1;					/*JLS 13-11-00*/
+  mctx.bindDN	     = NULL;
+  mctx.bindDNLow     = -1;					/*JLS 05-01-01*/
+  mctx.bindDNHigh    = -1;					/*JLS 05-01-01*/
+  mctx.dlf	     = NULL;					/*JLS 23-03-01*/
+  mctx.exitStatus    = EXIT_OK;					/*JLS 25-08-00*/
+  mctx.filter	     = NULL;
+  mctx.globStatsCnt  = DEF_GLOBAL_NB;				/*JLS 08-08-00*/
+  mctx.hostname	     = "localhost";
+  mctx.ignErrNb      = 0;
+  mctx.images	     = NULL;					/*JLS 17-11-00*/
+  mctx.imagesDir     = DEF_IMAGES_PATH;				/*JLS 16-11-00*/
+  mctx.inactivMax    = DEF_INACTIV_MAX;
+  mctx.maxErrors     = DEF_MAX_ERRORS;
+  mctx.mode	     = NOTHING;
+  mctx.mod2	     = NOTHING;
+  mctx.nbNoActivity  = 0;
+  mctx.nbSamples     = -1;
+  mctx.nbThreads     = DEF_NB_THREADS;
+  mctx.opListTail    = NULL;
+  mctx.passwd	     = NULL;
+  mctx.pid	     = getpid();
+  mctx.port	     = DEF_PORT;
+  mctx.randomLow     = -1;
+  mctx.randomHigh    = -1;
+  mctx.referral	     = DEF_REFERRAL;				/*JLS 08-03-01*/
+  mctx.sampling      = DEF_SAMPLING;
+  mctx.sasl_authid   = NULL;
+  mctx.sasl_flags    = LDAP_SASL_QUIET;
+  mctx.sasl_mech     = NULL;
+  mctx.sasl_realm    = NULL;
+  mctx.sasl_secprops = NULL;
+  mctx.sasl_username = NULL;
+  mctx.scope	     = DEF_SCOPE;
+  mctx.slaveConn     = 0;
+  mctx.slavesNb      = 0;
+  mctx.timeout	     = DEF_TIMEOUT;
+  mctx.totalReq	     = -1;
+  mctx.waitSec       = 0;
+  s1ctx.cnxduration  = SCALAB01_DEF_CNX_DURATION;		/*JLS 12-01-01*/
+  s1ctx.maxcnxnb     = SCALAB01_DEF_MAX_CNX;			/*JLS 12-01-01*/
+  s1ctx.wait         = SCALAB01_DEF_WAIT_TIME;			/*JLS 12-01-01*/
 
   /*
    * Initiates the object *NOW*
@@ -2534,7 +2638,7 @@ main (
    * Get options
    */
   while ((opt_ret = getopt (argc, argv, 
-		"a:b:D:e:E:f:h:i:I:n:N:p:qQr:R:s:S:t:T:vVw:W:Z:H")) != EOF)
+		"a:b:D:e:E:f:h:i:I:n:N:o:p:qQr:R:s:S:t:T:vVw:W:Z:H")) != EOF)
     switch (opt_ret)
     {
       case 'a':
@@ -2584,6 +2688,11 @@ main (
       case 'N':
 	mctx.nbSamples = atoi (optarg);
 	break;
+      case 'o':
+        if (saslSetParam (optarg) < 0)
+          ldcltExit (EXIT_PARAMS);
+        mctx.mod2 |= M2_SASLAUTH;
+        break;
       case 'p':
 	mctx.port = atoi (optarg);
 	break;
diff --git a/ldap/servers/slapd/tools/ldclt/ldclt.h b/ldap/servers/slapd/tools/ldclt/ldclt.h
index 6413b39d..3b7a05cb 100644
--- a/ldap/servers/slapd/tools/ldclt/ldclt.h
+++ b/ldap/servers/slapd/tools/ldclt/ldclt.h
@@ -282,6 +282,7 @@ dd/mm/yy | Author	| Comments
 #define M2_APPEND	0x00000008 /* -e append */		/*JLS 05-04-01*/
 #define M2_RNDBINDFILE	0x00000010 /* -e randombinddnfromfile *//*JLS 03-05-01*/
 #define M2_BINDONLY	0x00000020 /* -e bindonly */		/*JLS 04-05-01*/
+#define M2_SASLAUTH     0x00000040 /* -o : SASL authentication */
 
 /*
  * Combinatory defines
@@ -536,6 +537,7 @@ typedef struct main_context {
         char            *keydbpin;      /* key DB password */   /* BK 23-11-00*/
 	int		 lastVal;	/* To build filters */	/*JLS 14-03-01*/
 	ldclt_mutex_t	 lastVal_mutex;	/* Protect lastVal */	/*JLS 14-03-01*/
+	int		 ldapauth;	/* Used to indicate auth type */
 	int		 maxErrors;	/* Max allowed errors */
 	unsigned int	 mode;		/* Running mode */
 	unsigned int	 mod2;		/* Running mode - 2 */	/*JLS 19-03-01*/
@@ -560,6 +562,12 @@ typedef struct main_context {
 	char		*rndBindFname;	/* Rnd bind file name *//*JLS 03-05-01*/
 	int		 referral;	/* Referral followed */	/*JLS 08-03-01*/
 	int		 sampling;	/* Sampling frequency */
+	char		*sasl_authid;
+	unsigned	 sasl_flags;
+	char		*sasl_mech;
+	char		*sasl_realm;
+	char		*sasl_secprops;
+	char		*sasl_username;
 	int		 scope;		/* Searches scope */
 	int		 slaveConn;	/* Slave has connected */
 	char		*slaves[MAX_SLAVES]; /* Slaves list */
diff --git a/ldap/servers/slapd/tools/ldclt/ldclt.use b/ldap/servers/slapd/tools/ldclt/ldclt.use
index 37ebe05e..4f388e64 100644
--- a/ldap/servers/slapd/tools/ldclt/ldclt.use
+++ b/ldap/servers/slapd/tools/ldclt/ldclt.use
@@ -1,6 +1,6 @@
 usage: ldclt [-qQvV] [-E <max errors>]
              [-b <base DN>] [-h <host>] [-p <port>] [-t <timeout>]
-             [-D <bind DN>] [-w <passwd>]
+             [-D <bind DN>] [-w <passwd>] [-o <SASL options>]
              [-e <execParams>] [-a <max pending>]
 	     [-n <nb threads>] [-i <nb times>] [-N <nb samples>]
 	     [-I <err number>] [-T <total>]
@@ -14,7 +14,7 @@ usage: ldclt [-qQvV] [-E <max errors>]
 
 	The valid options are:
 	 -a  Asynchronous mode, with max pending operations.
-	 -b  Give the base DN to use. Default "o=sun,c=us".
+	 -b  Give the base DN to use. Default "dc=example,dc=com".
 	 -D  Bind DN. See -w
 	 -E  Max errors allowed.                   Default 1000.
 	 -e  Execution parameters:
@@ -68,6 +68,7 @@ usage: ldclt [-qQvV] [-E <max errors>]
 	 -I  Ignore errors (cf. -E).               Default none.
 	 -n  Number of threads.                    Default 10.
 	 -N  Number of samples (10 seconds each).  Default infinite.
+	 -o  SASL Options.
 	 -p  Server port.                          Default 389.
 	 -P  Master port (to check replication).   Default 16000.
 	 -q  Quiet mode. See option -I.
diff --git a/ldap/servers/slapd/tools/ldclt/ldcltU.c b/ldap/servers/slapd/tools/ldclt/ldcltU.c
index 6f23dd1f..a91c74a5 100644
--- a/ldap/servers/slapd/tools/ldclt/ldcltU.c
+++ b/ldap/servers/slapd/tools/ldclt/ldcltU.c
@@ -32,7 +32,7 @@
  * 
  * 
  * Copyright (C) 2001 Sun Microsystems, Inc. Used by permission.
- * Copyright (C) 2006 Red Hat, Inc.
+ * Copyright (C) 2007 Red Hat, Inc.
  * All rights reserved.
  * END COPYRIGHT BLOCK **/
 
@@ -47,7 +47,7 @@
 /*
  * usage: ldclt [-qQvV] [-E <max errors>]
  *              [-b <base DN>] [-h <host>] [-p <port>] [-t <timeout>]
- *              [-D <bind DN>] [-w <passwd>]
+ *              [-D <bind DN>] [-w <passwd>] [-o <SASL option>]
  *              [-e <execParams>] [-a <max pending>]
  * 	     [-n <nb threads>] [-i <nb times>] [-N <nb samples>]
  * 	     [-I <err number>] [-T <total>]
@@ -61,7 +61,7 @@
  * 
  * 	The valid options are:
  * 	 -a  Asynchronous mode, with max pending operations.
- * 	 -b  Give the base DN to use. Default "o=sun,c=us".
+ * 	 -b  Give the base DN to use. Default "dc=example,dc=com".
  * 	 -D  Bind DN. See -w
  * 	 -E  Max errors allowed.                   Default 1000.
  * 	 -e  Execution parameters:
@@ -116,6 +116,7 @@
  * 	 -I  Ignore errors (cf. -E).               Default none.
  * 	 -n  Number of threads.                    Default 10.
  * 	 -N  Number of samples (10 seconds each).  Default infinite.
+ *	 -o  SASL Option.
  * 	 -p  Server port.                          Default 389.
  * 	 -P  Master port (to check replication).   Default 16000.
  * 	 -q  Quiet mode. See option -I.
@@ -137,7 +138,7 @@ void usage ()
   (void) printf ("\n");
   (void) printf ("usage: ldclt [-qQvV] [-E <max errors>]\n");
   (void) printf ("             [-b <base DN>] [-h <host>] [-p <port>] [-t <timeout>]\n");
-  (void) printf ("             [-D <bind DN>] [-w <passwd>]\n");
+  (void) printf ("             [-D <bind DN>] [-w <passwd>] [-o <SASL option>]\n");
   (void) printf ("             [-e <execParams>] [-a <max pending>]\n");
   (void) printf ("	     [-n <nb threads>] [-i <nb times>] [-N <nb samples>]\n");
   (void) printf ("	     [-I <err number>] [-T <total>]\n");
@@ -206,6 +207,7 @@ void usage ()
   (void) printf ("	 -I  Ignore errors (cf. -E).               Default none.\n");
   (void) printf ("	 -n  Number of threads.                    Default 10.\n");
   (void) printf ("	 -N  Number of samples (10 seconds each).  Default infinite.\n");
+  (void) printf ("	 -o  SASL Option.\n");
   (void) printf ("	 -p  Server port.                          Default 389.\n");
   (void) printf ("	 -P  Master port (to check replication).   Default 16000.\n");
   (void) printf ("	 -q  Quiet mode. See option -I.\n");
diff --git a/ldap/servers/slapd/tools/ldclt/scalab01.c b/ldap/servers/slapd/tools/ldclt/scalab01.c
index 7a8ed5c4..b4decae8 100644
--- a/ldap/servers/slapd/tools/ldclt/scalab01.c
+++ b/ldap/servers/slapd/tools/ldclt/scalab01.c
@@ -513,7 +513,6 @@ scalab01_connectSuperuser (void)
   /*
    * Create the LDAP context
    */
-#ifdef LDCLTSSL
   /*
    * SSL is enabled ?
    */
@@ -558,7 +557,6 @@ scalab01_connectSuperuser (void)
   }
   else
   {
-#endif
     /*
      * Connection initialization in normal, unencrypted mode
      */
@@ -573,9 +571,7 @@ scalab01_connectSuperuser (void)
       fflush (stdout);
       return (-1);
     }
-#ifdef LDCLTSSL
   }
-#endif
 
   /*
    * Set the LDAP version and other options...
@@ -598,7 +594,6 @@ scalab01_connectSuperuser (void)
   /*
    * Now we could bind
    */
-#ifdef LDCLTSSL
   /*
    * for SSL client authentication, SASL BIND is used
    */
@@ -620,7 +615,6 @@ scalab01_connectSuperuser (void)
   }
   else
   {
-#endif /* LDCLTSSL */
     strcpy (bindDN, SCALAB01_SUPER_USER_RDN);
     strcat (bindDN, ",");
     strcat (bindDN, mctx.baseDN);
@@ -640,9 +634,7 @@ scalab01_connectSuperuser (void)
       fflush (stdout);
       return (-1);
     }
-#ifdef LDCLTSSL
   }
-#endif
 
   /*
    * Normal end...