--- ./include/util_ldap.h.orig	Thu Nov 14 00:56:50 2002
+++ ./include/util_ldap.h	Thu Nov 14 01:11:16 2002
@@ -241,17 +241,20 @@
  * @param filter The user to search for in the form of an LDAP filter. This filter must return
  *               exactly one user for the check to be successful.
  * @param bindpw The user password to bind as.
+ * @param bindpw The attribute to compair against the password above.
  * @param binddn The DN of the user will be returned in this variable.
  * @param retvals The values corresponding to the attributes requested in the attrs array.
  * @tip The filter supplied will be searched for. If a single entry is returned, an attempt
  *      is made to bind as that user. If this bind succeeds, the user is not validated.
  * @deffunc int util_ldap_cache_checkuserid(request_rec *r, util_ldap_connection_t *ldc,
  *                                          char *url, const char *basedn, int scope, char **attrs,
- *                                          char *filter, char *bindpw, char **binddn, char ***retvals)
+ *                                          char *filter, char *bindpw, const char *pwattr, 
+ 											char **binddn, char ***retvals)
  */
 int util_ldap_cache_checkuserid(request_rec *r, util_ldap_connection_t *ldc,
                               const char *url, const char *basedn, int scope, char **attrs,
-                              const char *filter, const char *bindpw, const char **binddn, const char ***retvals);
+                              const char *filter, const char *bindpw, const char *pwattr, 
+							  const char **binddn, const char ***retvals);
 
 /* from apr_ldap_cache.c */
 
--- ./modules/experimental/mod_auth_ldap.c.orig	Tue Nov 12 18:38:32 2002
+++ ./modules/experimental/mod_auth_ldap.c	Thu Nov 14 01:22:52 2002
@@ -104,6 +104,7 @@
     deref_options deref;		/* how to handle alias dereferening */
     char *binddn;			/* DN to bind to server (can be NULL) */
     char *bindpw;			/* Password to bind to server (can be NULL) */
+	char *password_attr;	/* Attribute to compare against the password (can be NULL) */
 
     int frontpage_hack;			/* Hack for frontpage support */
     int user_is_dn;			/* If true, connection->user is DN instead of userid */
@@ -275,7 +276,8 @@
 
     /* do the user search */
     result = util_ldap_cache_checkuserid(r, ldc, sec->url, sec->basedn, sec->scope,
-                                         sec->attributes, filtbuf, sent_pw, &dn, &vals);
+                                         sec->attributes, filtbuf, sent_pw, 
+										 sec->password_attr, &dn, &vals);
     util_ldap_connection_close(ldc);
 
     /* sanity check - if server is down, retry it up to 5 times */
@@ -796,6 +798,7 @@
     return NULL;
 }
 
+
 command_rec mod_auth_ldap_cmds[] = {
     AP_INIT_TAKE1("AuthLDAPURL", mod_auth_ldap_parse_url, NULL, OR_AUTHCFG, 
                   "URL to define LDAP connection. This should be an RFC 2255 complaint\n"
@@ -869,6 +872,11 @@
     AP_INIT_FLAG("AuthLDAPFrontPageHack", ap_set_flag_slot,
                  (void *)APR_OFFSETOF(mod_auth_ldap_config_t, frontpage_hack), OR_AUTHCFG,
                  "Set to 'on' to support Microsoft FrontPage"),
+
+	AP_INIT_TAKE1("AuthLDAPPasswordAttr",ap_set_string_slot,
+                  (void *)APR_OFFSETOF(mod_auth_ldap_config_t, password_attr), OR_AUTHCFG,
+                  "If set the given attribute will be matched against the password rather than trying to bind"
+				  "as the user."),
 
 #ifdef APU_HAS_LDAP_STARTTLS
     AP_INIT_FLAG("AuthLDAPStartTLS", ap_set_flag_slot,
--- ./modules/experimental/util_ldap.c.orig	Wed Nov 13 23:19:20 2002
+++ ./modules/experimental/util_ldap.c	Fri Nov 15 04:58:08 2002
@@ -740,8 +740,8 @@
 
 int util_ldap_cache_checkuserid(request_rec *r, util_ldap_connection_t *ldc,
                               const char *url, const char *basedn, int scope, char **attrs,
-                              const char *filter, const char *bindpw, const char **binddn,
-                              const char ***retvals)
+                              const char *filter, const char *bindpw, const char *pwattr,
+							  const char **binddn, const char ***retvals)
 {
     const char **vals = NULL;
     int result = 0;
@@ -864,23 +864,35 @@
         return LDAP_INVALID_CREDENTIALS;
     }
 
-    /* 
-     * Attempt to bind with the retrieved dn and the password. If the bind
-     * fails, it means that the password is wrong (the dn obviously
-     * exists, since we just retrieved it)
-     */
-    if ((result = 
-         ldap_simple_bind_s(ldc->ldap, *binddn, bindpw)) == 
-         LDAP_SERVER_DOWN) {
-        ldc->reason = "ldap_simple_bind_s() to check user credentials failed with server down";
-        goto start_over;
-    }
-
-    /* failure? if so - return */
-    if (result != LDAP_SUCCESS) {
-        ldc->reason = "ldap_simple_bind_s() to check user credentials failed";
-        return result;
-    }
+	if(bindpw) {
+		if((result = ldap_compare_s(ldc->ldap,*binddn,pwattr,bindpw)) == LDAP_SERVER_DOWN) {
+			ldc->reason = "ldap_simple_bind_s() to check user credentials failed with server down";
+			goto start_over;
+		}
+		
+		if(result != LDAP_COMPARE_TRUE) {
+			ldc->reason = "ldap_compare_s() password compare failed";
+			return result;
+		}				
+	} else {				
+		/* 
+		 * Attempt to bind with the retrieved dn and the password. If the bind
+		 * fails, it means that the password is wrong (the dn obviously
+		 * exists, since we just retrieved it)
+		 */
+		if ((result = 
+			 ldap_simple_bind_s(ldc->ldap, *binddn, bindpw)) == 
+			 LDAP_SERVER_DOWN) {
+			ldc->reason = "ldap_simple_bind_s() to check user credentials failed with server down";
+			goto start_over;
+		}
+	
+		/* failure? if so - return */
+		if (result != LDAP_SUCCESS) {
+			ldc->reason = "ldap_simple_bind_s() to check user credentials failed";
+			return result;
+		}
+	}
 
     /*
      * Get values for the provided attributes.