diff --git a/CHANGES b/CHANGES
index f754512930657786692b8ebee2207f8b32540c51..6da558c782db7e6159b357e6ca7533194b391fe4 100644
--- a/CHANGES
+++ b/CHANGES
@@ -7,6 +7,7 @@ OpenLDAP 2.4.22 Engineering
 	Added slapo-ldap idassert-passthru (ITS#6456)
 	Added slapo-pbind
 	Fixed libldap gmtime re-entrancy (ITS#6262)
+	Fixed libldap gssapi off by one error (ITS#6223)
 	Fixed libldap GnuTLS serial length (ITS#6460)
 	Fixed libldap MozNSS context and PEM support (ITS#6432)
 	Fixed libldap referral on bind behavior(ITS#6510)
diff --git a/libraries/libldap/gssapi.c b/libraries/libldap/gssapi.c
index 754df1886634311c403d28a193ad33e3bf98d8f7..7e9a4406c80a98550499a776b6336cb24927b4a5 100644
--- a/libraries/libldap/gssapi.c
+++ b/libraries/libldap/gssapi.c
@@ -542,12 +542,12 @@ guess_service_principal(
 
 	} else if (allow_remote && dnsHostName) {
 		principal_fmt = "ldap/%s";
-		svc_principal_size = strlen(dnsHostName) + strlen(principal_fmt);
+		svc_principal_size = STRLENOF("ldap/") + strlen(dnsHostName) + 1;
 		str = dnsHostName;
 
 	} else {
 		principal_fmt = "ldap/%s";
-		svc_principal_size = strlen(host) + strlen(principal_fmt);
+		svc_principal_size = STRLENOF("ldap/") + strlen(host) + 1;
 		str = host;
 	}
 
@@ -557,8 +557,8 @@ guess_service_principal(
 		return ld->ld_errno;
 	}
 
-	ret = snprintf( svc_principal, svc_principal_size - 1, principal_fmt, str);
-	if (ret < 0 || (size_t)ret + 1 >= svc_principal_size) {
+	ret = snprintf( svc_principal, svc_principal_size, principal_fmt, str );
+	if (ret < 0 || (size_t)ret >= svc_principal_size) {
 		ld->ld_errno = LDAP_LOCAL_ERROR;
 		return ld->ld_errno;
 	}
@@ -567,7 +567,7 @@ guess_service_principal(
 	       host, svc_principal, 0 );
 
 	input_name.value  = svc_principal;
-	input_name.length = strlen( svc_principal );
+	input_name.length = (size_t)ret;
 
 	gss_rc = gss_import_name( &minor_status, &input_name, &nt_principal, principal );
 	ldap_memfree( svc_principal );