diff --git a/include/ldap_pvt.h b/include/ldap_pvt.h
index 5a2fa336cd35a963bffc8213715592c7c7dc4536..ef42b6f9c8494e138f046008fa1ee8fbba603855 100644
--- a/include/ldap_pvt.h
+++ b/include/ldap_pvt.h
@@ -164,6 +164,8 @@ LDAP_F (int) ldap_pvt_tls_connect LDAP_P(( struct ldap *ld, Sockbuf *sb, void *c
 LDAP_F (int) ldap_pvt_tls_accept LDAP_P(( Sockbuf *sb, void *ctx_arg ));
 LDAP_F (void *) ldap_pvt_tls_sb_handle LDAP_P(( Sockbuf *sb ));
 LDAP_F (void *) ldap_pvt_tls_get_handle LDAP_P(( struct ldap *ld ));
+LDAP_F (const char *) ldap_pvt_tls_get_peer LDAP_P(( void *handle ));
+LDAP_F (int) ldap_pvt_tls_get_strength LDAP_P(( void *handle ));
 LDAP_F (int) ldap_pvt_tls_inplace LDAP_P(( Sockbuf *sb ));
 LDAP_F (int) ldap_pvt_tls_start LDAP_P(( struct ldap *ld, Sockbuf *sb, void *ctx_arg ));
 
diff --git a/libraries/libldap/tls.c b/libraries/libldap/tls.c
index f31c95239bdbfa64d7db84207916652fb5e09573..9aed9ebe083223c0480922ee2af8f70592d7e550 100644
--- a/libraries/libldap/tls.c
+++ b/libraries/libldap/tls.c
@@ -658,16 +658,54 @@ ldap_pvt_tls_get_handle( LDAP *ld )
 	return ldap_pvt_tls_sb_handle( ld->ld_sb );
 }
 
+int
+ldap_pvt_tls_get_strength( void *s )
+{
+    SSL_CIPHER *c;
+
+    c = SSL_get_current_cipher((SSL *)s);
+    return SSL_CIPHER_get_bits(c, NULL);
+}
+
+
 const char *
-ldap_pvt_tls_get_peer( LDAP *ld )
+ldap_pvt_tls_get_peer( void *s )
 {
-    return NULL;
+    X509 *x;
+    X509_NAME *xn;
+    char buf[2048], *p;
+
+    x = SSL_get_peer_certificate((SSL *)s);
+
+    if (!x)
+    	return NULL;
+    
+    xn = X509_get_subject_name(x);
+    p = LDAP_STRDUP(X509_NAME_oneline(xn, buf, sizeof(buf)));
+    X509_free(x);
+    return p;
 }
 
 const char *
-ldap_pvt_tls_get_peer_issuer( LDAP *ld )
+ldap_pvt_tls_get_peer_issuer( void *s )
 {
+#if 0	/* currently unused; see ldap_pvt_tls_get_peer() if needed */
+    X509 *x;
+    X509_NAME *xn;
+    char buf[2048], *p;
+
+    x = SSL_get_peer_certificate((SSL *)s);
+
+    if (!x)
+    	return NULL;
+    
+    xn = X509_get_issuer_name(x);
+    p = LDAP_STRDUP(X509_NAME_oneline(xn, buf, sizeof(buf)));
+    X509_free(x);
+    return p;
+#else
     return NULL;
+#endif
 }
 
 int
diff --git a/servers/slapd/connection.c b/servers/slapd/connection.c
index a966c0f1747105f4226a7ad5e8a794f5c8c41536..c8ad754d6193d25e4c4f1ee895b71f478479dd17 100644
--- a/servers/slapd/connection.c
+++ b/servers/slapd/connection.c
@@ -919,12 +919,17 @@ int connection_read(ber_socket_t s)
 			connection_close( c );
 
 		} else if ( rc == 0 ) {
+			void *ssl;
+			unsigned ssf;
+			char *authid;
+
 			c->c_needs_tls_accept = 0;
 
-#if 0
 			/* we need to let SASL know */
+			ssl = (void *)ldap_pvt_tls_sb_handle( c->c_sb );
+			ssf = (unsigned)ldap_pvt_tls_get_strength( ssl );
+			authid = (char *)ldap_pvt_tls_get_peer( ssl );
 			slap_sasl_external( c, ssf, authid );
-#endif
 		}
 		connection_return( c );
 		ldap_pvt_thread_mutex_unlock( &connections_mutex );