--- /usr/share/ldapscripts/runtime.orig	2010-12-27 21:46:34.114631652 +0000
+++ /usr/share/ldapscripts/runtime	2010-12-30 13:51:38.474677880 +0000
@@ -149,7 +149,10 @@
 # Input : base ($1), filter ($2), attribute to display ($3)
 # Output : entry/entries found (stdout)
 _ldapsearch () {
-  if [ -n "$BINDPWDFILE" ]
+  if [ -n "$SASLAUTH" ]
+  then
+    $LDAPSEARCHBIN -Y "$SASLAUTH" -b "${1:-$SUFFIX}" -H "$SERVER" -s sub -LLL "${2:-(objectclass=*)}" "${3:-*}" 2>>"$LOGFILE" 
+  elif [ -n "$BINDPWDFILE" ]
   then
     $LDAPSEARCHBIN -y "$BINDPWDFILE" -D "$BINDDN" -b "${1:-$SUFFIX}" -xH "$SERVER" -s sub -LLL "${2:-(objectclass=*)}" "${3:-*}" 2>>"$LOGFILE" 
   else
@@ -174,8 +177,9 @@
     ;;
   esac
 
-  if [ -n "$BINDPWDFILE" ]
-  then
+  if [ -n "$SASLAUTH" ]; then
+    $LDAPADDBIN $_OPTIONS -Y "$SASLAUTH" -H "$SERVER" 2>>"$LOGFILE"
+  elif [ -n "$BINDPWDFILE" ]; then
     $LDAPADDBIN $_OPTIONS -y "$BINDPWDFILE" -D "$BINDDN" -xH "$SERVER" 2>>"$LOGFILE" 1>/dev/null
   else
     $LDAPADDBIN $_OPTIONS -w "$BINDPWD" -D "$BINDDN" -xH "$SERVER" 2>>"$LOGFILE" 1>/dev/null
@@ -199,7 +203,10 @@
     ;;
   esac
 
-  if [ -n "$BINDPWDFILE" ]
+  if [ -n "$SASLAUTH" ]
+  then
+    $LDAPMODIFYBIN $_OPTIONS -Y "$SASLAUTH" -H "$SERVER" 2>>"$LOGFILE" 1>/dev/null
+  elif [ -n "$BINDPWDFILE" ]
   then
     $LDAPMODIFYBIN $_OPTIONS -y "$BINDPWDFILE" -D "$BINDDN" -xH "$SERVER" 2>>"$LOGFILE" 1>/dev/null
   else
@@ -215,7 +222,10 @@
   then
     end_die "_ldaprename : missing argument(s)"
   else
-    if [ -n "$BINDPWDFILE" ]
+    if [ -n "$SASLAUTH" ]
+    then
+      $LDAPMODRDNBIN -Y "$SASLAUTH" -H "$SERVER" -r "$1" "$2" 2>>"$LOGFILE" 1>/dev/null
+    elif [ -n "$BINDPWDFILE" ]
     then
       $LDAPMODRDNBIN -y "$BINDPWDFILE" -D "$BINDDN" -xH "$SERVER" -r "$1" "$2" 2>>"$LOGFILE" 1>/dev/null
     else
@@ -229,7 +239,10 @@
 # Output : nothing
 _ldapdelete () {
   [ -z "$1" ] && end_die "_ldapdelete : missing argument"
-  if [ -n "$BINDPWDFILE" ]
+  if [ -n "$SASLAUTH" ]
+  then
+    $LDAPDELETEBIN -Y "$SASLAUTH" -H "$SERVER" -r "$1" 2>>"$LOGFILE" 1>/dev/null
+  elif [ -n "$BINDPWDFILE" ]
   then
     $LDAPDELETEBIN -y "$BINDPWDFILE" -D "$BINDDN" -xH "$SERVER" -r "$1" 2>>"$LOGFILE" 1>/dev/null
   else
@@ -567,7 +580,10 @@
       echo "$2 : $1" >> "$PASSWORDFILE"
     fi
 
-    if [ -n "$BINDPWDFILE" ]
+    if [ -n "$SASLAUTH" ]
+    then
+      end_die "Change password in $SASLAUTH database, e.g. kadmin"
+    elif [ -n "$BINDPWDFILE" ]
     then
       ## Change password in a secure way
       # Allocate and create temp file
@@ -624,7 +640,10 @@
 # Check for bindpwd file
 if [ ! -f "$BINDPWDFILE" ] || [ ! -r "$BINDPWDFILE" ]
 then
-  if [ -n "$BINDPWD" ]
+  if [ -n "$SASLAUTH" ]
+  then
+    true # all OK
+  elif [ -n "$BINDPWD" ]
   then
     warn_log "Warning : using command-line passwords, ldapscripts may not be safe"
   else