diff --git a/clients/tools/ldapsearch.c b/clients/tools/ldapsearch.c
index f865bedcabf1837efa43a8ab07d7483377db5f53..096568345c42e954f419bf58f9df09f6102bada7 100644
--- a/clients/tools/ldapsearch.c
+++ b/clients/tools/ldapsearch.c
@@ -120,7 +120,7 @@ static char *tmpdir = NULL;
 static char *urlpre = NULL;
 
 static char	*binddn = NULL;
-static char	*passwd = NULL;
+static struct berval passwd = { 0, NULL };
 static char	*base = NULL;
 static char	*ldaphost = NULL;
 static int	ldapport = 0;
@@ -263,7 +263,7 @@ main( int argc, char **argv )
 		ldapport = atoi( optarg );
 		break;
 	case 'w':	/* bind password */
-		passwd = strdup( optarg );
+		passwd.bv_val = strdup( optarg );
 		{
 			char* p;
 
@@ -271,6 +271,7 @@ main( int argc, char **argv )
 				*p = '*';
 			}
 		}
+		passwd.bv_len = strlen( passwd.bv_val );
 		break;
 	case 'l':	/* time limit */
 		timelimit = atoi( optarg );
@@ -520,7 +521,8 @@ main( int argc, char **argv )
 	}
 
 	if (want_bindpw) {
-		passwd = getpass("Enter LDAP Password: ");
+		passwd.bv_val = getpass("Enter LDAP Password: ");
+		passwd.bv_len = strlen( passwd.bv_val );
 	}
 
 	if ( authmethod == LDAP_AUTH_SASL ) {
@@ -549,9 +551,12 @@ main( int argc, char **argv )
 			return( EXIT_FAILURE );
 		}
 		
-		if ( ldap_negotiated_sasl_bind_s( ld, binddn, sasl_authc_id,
-				sasl_authz_id, sasl_mech, NULL, NULL, NULL )
-					!= LDAP_SUCCESS ) {
+		rc = ldap_negotiated_sasl_bind_s( ld, binddn, sasl_authc_id,
+				sasl_authz_id, sasl_mech,
+				passwd.bv_len ? &passwd : NULL,
+				NULL, NULL );
+
+		if( rc != LDAP_SUCCESS ) {
 			ldap_perror( ld, "ldap_negotiated_sasl_bind_s" );
 			return( EXIT_FAILURE );
 		}
@@ -562,7 +567,7 @@ main( int argc, char **argv )
 #endif
 	}
 	else {
-		if ( ldap_bind_s( ld, binddn, passwd, authmethod )
+		if ( ldap_bind_s( ld, binddn, passwd.bv_val, authmethod )
 				!= LDAP_SUCCESS ) {
 			ldap_perror( ld, "ldap_bind" );
 			return( EXIT_FAILURE );