Index: openldap-2.4.18/configure.in
===================================================================
--- openldap-2.4.18.orig/configure.in	2009-12-09 14:17:54.674896349 -0600
+++ openldap-2.4.18/configure.in	2009-12-09 14:17:54.714767239 -0600
@@ -242,6 +242,8 @@
 	auto, [auto yes no] )
 OL_ARG_WITH(fetch,[  --with-fetch		  with fetch(3) URL support],
 	auto, [auto yes no] )
+OL_ARG_WITH(gssapi,[  --with-gssapi               with GSSAPI support],
+        auto, [auto yes no] )
 OL_ARG_WITH(threads,[  --with-threads	  with threads],
 	auto, [auto nt posix mach pth lwp yes no manual] )
 OL_ARG_WITH(tls,[  --with-tls		  with TLS/SSL support auto|openssl|gnutls],
@@ -583,6 +585,7 @@
 KRB4_LIBS=
 KRB5_LIBS=
 SASL_LIBS=
+GSSAPI_LIBS=
 TLS_LIBS=
 MODULES_LIBS=
 SLAPI_LIBS=
@@ -1147,6 +1150,63 @@
 fi
 
 dnl ----------------------------------------------------------------
+dnl GSSAPI
+ol_link_gssapi=no
+
+case $ol_with_gssapi in yes | auto)
+
+        ol_header_gssapi=no
+        AC_CHECK_HEADERS(gssapi/gssapi.h)
+        if test $ac_cv_header_gssapi_gssapi_h = yes ; then
+                ol_header_gssapi=yes
+        else
+                AC_CHECK_HEADERS(gssapi.h)
+                if test $ac_cv_header_gssapi_h = yes ; then
+                        ol_header_gssapi=yes
+                fi
+
+                dnl## not every gssapi has gss_oid_to_str()
+                dnl## as it's not defined in the GSSAPI V2 API
+                dnl## anymore
+                saveLIBS="$LIBS"
+                LIBS="$LIBS $GSSAPI_LIBS"
+                AC_CHECK_FUNCS(gss_oid_to_str)
+                LIBS="$saveLIBS"
+        fi
+
+        if test $ol_header_gssapi = yes ; then
+                dnl## we check for gss_wrap
+                dnl## as it's new to the GSSAPI V2 API
+                AC_CHECK_LIB(gssapi, gss_wrap,
+                             [ol_link_gssapi=yes;GSSAPI_LIBS="-lgssapi"],
+                             [ol_link_gssapi=no])
+                if test $ol_link_gssapi != yes ; then
+                        AC_CHECK_LIB(gssapi_krb5, gss_wrap,
+                                     [ol_link_gssapi=yes;GSSAPI_LIBS="-lgssapi_krb5"],
+                                     [ol_link_gssapi=no])
+                fi
+                if test $ol_link_gssapi != yes ; then
+                        AC_CHECK_LIB(gss, gss_wrap,
+                                     [ol_link_gssapi=yes;GSSAPI_LIBS="-lgss"],
+                                     [ol_link_gssapi=no])
+                fi
+        fi
+
+        ;;
+esac
+
+WITH_GSSAPI=no
+if test $ol_link_gssapi = yes; then
+        AC_DEFINE(HAVE_GSSAPI, 1, [define if you have GSSAPI])
+        WITH_GSSAPI=yes
+elif test $ol_with_gssapi = auto ; then
+        AC_MSG_WARN([Could not locate GSSAPI package])
+        AC_MSG_WARN([GSSAPI authentication not supported!])
+elif test $ol_with_gssapi = yes ; then
+        AC_MSG_ERROR([GSSAPI detection failed])
+fi
+
+dnl ----------------------------------------------------------------
 dnl TLS/SSL
 	
 if test $ol_with_tls = yes ; then
@@ -1900,6 +1960,13 @@
 fi
 AC_SUBST(VERSION_OPTION)
 
+VERSION_OPTION=""
+OL_SYMBOL_VERSIONING
+if test $ol_cv_ld_version_script_option = yes ; then
+  VERSION_OPTION="-Wl,--version-script="
+fi
+AC_SUBST(VERSION_OPTION)
+
 dnl ----------------------------------------------------------------
 if test $ol_enable_wrappers != no ; then
 	AC_CHECK_HEADERS(tcpd.h,[
@@ -3109,6 +3176,7 @@
 AC_SUBST(KRB4_LIBS)
 AC_SUBST(KRB5_LIBS)
 AC_SUBST(SASL_LIBS)
+AC_SUBST(GSSAPI_LIBS)
 AC_SUBST(TLS_LIBS)
 AC_SUBST(MODULES_LIBS)
 AC_SUBST(SLAPI_LIBS)
Index: openldap-2.4.18/include/ldap.h
===================================================================
--- openldap-2.4.18.orig/include/ldap.h	2009-12-09 14:17:54.526757637 -0600
+++ openldap-2.4.18/include/ldap.h	2009-12-09 14:17:54.714767239 -0600
@@ -1215,6 +1215,16 @@
 	struct berval	**servercredp,
 	int				freeit ));
 
+/*
+ * in gssapi.c:
+ */
+LDAP_F( int )
+ldap_gssapi_bind_s LDAP_P((
+	LDAP  *ld,
+	LDAP_CONST char *dn,
+	LDAP_CONST char *creds));
+
+
 #if LDAP_DEPRECATED
 /*
  * in bind.c:
Index: openldap-2.4.18/include/portable.hin
===================================================================
--- openldap-2.4.18.orig/include/portable.hin	2009-12-09 14:17:48.614749056 -0600
+++ openldap-2.4.18/include/portable.hin	2009-12-09 14:17:54.718778515 -0600
@@ -253,6 +253,18 @@
 /* Define to 1 if you have the <grp.h> header file. */
 #undef HAVE_GRP_H
 
+/* define if you have GSSAPI */
+#undef HAVE_GSSAPI
+
+/* Define to 1 if you have the <gssapi/gssapi.h> header file. */
+#undef HAVE_GSSAPI_GSSAPI_H
+
+/* Define to 1 if you have the <gssapi.h> header file. */
+#undef HAVE_GSSAPI_H
+
+/* Define to 1 if you have the `gss_oid_to_str' function. */
+#undef HAVE_GSS_OID_TO_STR
+
 /* Define to 1 if you have the `hstrerror' function. */
 #undef HAVE_HSTRERROR
 
Index: openldap-2.4.18/libraries/libldap/gssapi.c
===================================================================
--- openldap-2.4.18.orig/libraries/libldap/gssapi.c	2009-12-09 14:17:48.614749056 -0600
+++ openldap-2.4.18/libraries/libldap/gssapi.c	2009-12-09 14:17:54.718778515 -0600
@@ -512,15 +512,28 @@
 	int gss_rc;
 	int ret;
 	size_t svc_principal_size;
+	size_t dns_domain_name_size;
 	char *svc_principal = NULL;
 	const char *principal_fmt = NULL;
-	const char *str = NULL;
 	const char *givenstr = NULL;
+	char *dns_domain_name = NULL;
+	char *name = NULL;
 	const char *ignore = "not_defined_in_RFC4178@please_ignore";
 	int allow_remote = 0;
 
 	if (ldapServiceName) {
 		givenstr = strchr(ldapServiceName, ':');
+
+		dns_domain_name_size = (size_t)((givenstr - ldapServiceName) + 1);
+		dns_domain_name = (char*) ldap_memalloc(dns_domain_name_size * sizeof(char));
+		if (!dns_domain_name) {
+			ld->ld_errno = LDAP_NO_MEMORY;
+			return ld->ld_errno;
+		}
+
+		strncpy(dns_domain_name, ldapServiceName, (dns_domain_name_size - 1));
+		dns_domain_name[dns_domain_name_size - 1] = '\0';
+
 		if (givenstr && givenstr[1]) {
 			givenstr++;
 			if (strcmp(givenstr, ignore) == 0) {
@@ -535,30 +548,56 @@
 		allow_remote = 1;
 	}
 
+	/* Try to figure out correct service principal form given
+	   available information */
 	if (allow_remote && givenstr) {
 		principal_fmt = "%s";
 		svc_principal_size = strlen(givenstr) + 1;
-		str = givenstr;
+		name = ldap_memalloc(svc_principal_size * sizeof(char));
+		if (!name) {
+			ld->ld_errno = LDAP_NO_MEMORY;
+			return ld->ld_errno;
+		}
+
+		memcpy(name, givenstr, svc_principal_size * sizeof(char));
 
 	} else if (allow_remote && dnsHostName) {
 		principal_fmt = "ldap/%s";
-		svc_principal_size = strlen(dnsHostName) + strlen(principal_fmt);
-		str = dnsHostName;
+		svc_principal_size = strlen(dnsHostName) + strlen(dns_domain_name) + strlen(principal_fmt);
+
+		/* svc_principal_size is actually a bit more than really needed, but
+		   let's use it to avoid calculating yet another size */
+		name = (char*) ldap_memalloc(svc_principal_size * sizeof(char));
+		if (!name) {
+			ld->ld_errno = LDAP_NO_MEMORY;
+			return ld->ld_errno;
+		}
+
+		snprintf(name, svc_principal_size, "%s/%s", dnsHostName, dns_domain_name);
 
 	} else {
 		principal_fmt = "ldap/%s";
-		svc_principal_size = strlen(host) + strlen(principal_fmt);
-		str = host;
+		svc_principal_size = strlen(dns_domain_name) + strlen(principal_fmt);
+                name = ldap_memalloc(svc_principal_size * sizeof(char));
+                if (!name) {
+                        ld->ld_errno = LDAP_NO_MEMORY;
+                        return ld->ld_errno;
+                }
+
+                memcpy(name, dns_domain_name, (strlen(dns_domain_name)+1) * sizeof(char));
+
 	}
 
 	svc_principal = (char*) ldap_memalloc(svc_principal_size * sizeof(char));
 	if ( svc_principal == NULL ) {
+		ldap_memfree(name);
 		ld->ld_errno = LDAP_NO_MEMORY;
 		return ld->ld_errno;
 	}
 
-	ret = snprintf( svc_principal, svc_principal_size - 1, principal_fmt, str);
-	if (ret < 0 || (size_t)ret + 1 >= svc_principal_size) {
+	ret = snprintf(svc_principal, svc_principal_size, principal_fmt, name);
+	if (ret < 0 || (size_t)(ret+1) > svc_principal_size) {
+		ldap_memfree(name);
 		ld->ld_errno = LDAP_LOCAL_ERROR;
 		return ld->ld_errno;
 	}
@@ -570,7 +609,11 @@
 	input_name.length = strlen( svc_principal );
 
 	gss_rc = gss_import_name( &minor_status, &input_name, &nt_principal, principal );
-	ldap_memfree( svc_principal );
+
+	ldap_memfree(svc_principal);
+	ldap_memfree(dns_domain_name);
+	ldap_memfree(name);
+
 	if ( gss_rc != GSS_S_COMPLETE ) {
 		return map_gsserr2ldap( ld, GSS_C_NO_OID, gss_rc, minor_status );
 	}
@@ -672,7 +715,7 @@
 	rc = ldap_gssapi_get_rootdse_infos ( ld, &mechlist,
 					     &ldapServiceName, &dnsHostName);
 	if ( rc != LDAP_SUCCESS ) {
-		return rc;
+		goto rc_error;
 	}
 
 	/* check that the server supports GSS-SPNEGO */
Index: openldap-2.4.18/build/top.mk
===================================================================
--- openldap-2.4.18.orig/build/top.mk	2009-12-09 14:17:57.786759224 -0600
+++ openldap-2.4.18/build/top.mk	2009-12-09 14:18:20.162871644 -0600
@@ -190,9 +190,10 @@
 KRB5_LIBS = @KRB5_LIBS@
 KRB_LIBS = @KRB4_LIBS@ @KRB5_LIBS@
 SASL_LIBS = @SASL_LIBS@
+GSSAPI_LIBS = @GSSAPI_LIBS@
 TLS_LIBS = @TLS_LIBS@
 AUTH_LIBS = @AUTH_LIBS@
-SECURITY_LIBS = $(SASL_LIBS) $(KRB_LIBS) $(TLS_LIBS) $(AUTH_LIBS)
+SECURITY_LIBS = $(SASL_LIBS) $(KRB_LIBS) $(GSSAPI_LIBS) $(TLS_LIBS) $(AUTH_LIBS)
 ICU_LIBS = @ICU_LIBS@
 
 MODULES_CPPFLAGS = @SLAPD_MODULES_CPPFLAGS@