diff --git a/servers/slapd/bind.c b/servers/slapd/bind.c
index 6378d78ddf0ddfca8d1e42439ca356336953ff03..f91f65bbfbcdc216a8354a9c4b829c10b4cd3a94 100644
--- a/servers/slapd/bind.c
+++ b/servers/slapd/bind.c
@@ -277,6 +277,10 @@ do_bind(
 		ldap_pvt_thread_mutex_lock( &conn->c_mutex );
 		if( rc == LDAP_SUCCESS ) {
 			conn->c_dn = edn;
+			if( edn != NULL ) {
+				conn->c_ndn = ch_strdup( edn );
+				dn_normalize( conn->c_ndn );
+			}
 			conn->c_authmech = conn->c_sasl_bind_mech;
 			conn->c_sasl_bind_mech = NULL;
 			conn->c_sasl_bind_in_progress = 0;
@@ -477,9 +481,10 @@ do_bind(
 			if(edn != NULL) {
 				conn->c_dn = edn;
 			} else {
-				conn->c_dn = ndn;
-				ndn = NULL;
+				conn->c_dn = ch_strdup( conn->c_cdn );
 			}
+			conn->c_ndn = ndn;
+			ndn = NULL;
 
 			if( conn->c_dn != NULL ) {
 				ber_len_t max = sockbuf_max_incoming;
diff --git a/servers/slapd/connection.c b/servers/slapd/connection.c
index 88a701c8be047f982dfbe0aac9c4903eb02cfafa..4da7ccd11e31ca6d2402b65409a454a26d61c610 100644
--- a/servers/slapd/connection.c
+++ b/servers/slapd/connection.c
@@ -414,6 +414,7 @@ long connection_init(
 	if( c->c_struct_state == SLAP_C_UNINITIALIZED ) {
 		c->c_authmech = NULL;
 		c->c_dn = NULL;
+		c->c_ndn = NULL;
 		c->c_cdn = NULL;
 		c->c_groups = NULL;
 
@@ -451,6 +452,7 @@ long connection_init(
     assert( c->c_struct_state == SLAP_C_UNUSED );
 	assert( c->c_authmech == NULL );
     assert(	c->c_dn == NULL );
+    assert(	c->c_ndn == NULL );
     assert(	c->c_cdn == NULL );
     assert( c->c_groups == NULL );
     assert( c->c_listener_url == NULL );
@@ -580,6 +582,10 @@ void connection2anonymous( Connection *c )
 	free(c->c_dn);
 	c->c_dn = NULL;
     }
+    if(c->c_ndn != NULL) {
+	free(c->c_ndn);
+	c->c_ndn = NULL;
+    }
 
 	if(c->c_cdn != NULL) {
 		free(c->c_cdn);
@@ -1460,9 +1466,8 @@ static int connection_op_activate( Connection *conn, Operation *op )
 	if (!arg->co_op->o_dn) {
 	    arg->co_op->o_authz = conn->c_authz;
 	    arg->co_op->o_dn = ch_strdup( conn->c_dn != NULL ? conn->c_dn : "" );
+	    arg->co_op->o_ndn = ch_strdup( conn->c_ndn != NULL ? conn->c_ndn : "" );
 	}
-	arg->co_op->o_ndn = ch_strdup( arg->co_op->o_dn );
-	(void) dn_normalize( arg->co_op->o_ndn );
 	arg->co_op->o_authtype = conn->c_authtype;
 	arg->co_op->o_authmech = conn->c_authmech != NULL
 		?  ch_strdup( conn->c_authmech ) : NULL;
diff --git a/servers/slapd/slap.h b/servers/slapd/slap.h
index c50c7fbef9f58dd0690f2379da8d825249d24573..8de5c2e7d3d391e3df5e0b40460e745382cb1502 100644
--- a/servers/slapd/slap.h
+++ b/servers/slapd/slap.h
@@ -1167,6 +1167,7 @@ struct slap_backend_info {
 #define c_authtype	c_authz.sai_method
 #define c_authmech	c_authz.sai_mech
 #define c_dn		c_authz.sai_dn
+#define c_ndn		c_authz.sai_ndn
 #define c_ssf			c_authz.sai_ssf
 #define c_transport_ssf	c_authz.sai_transport_ssf
 #define c_tls_ssf		c_authz.sai_tls_ssf