diff --git a/config/example-config.php b/config/example-config.php
index 881ee6ab..c67c0413 100644
--- a/config/example-config.php
+++ b/config/example-config.php
@@ -691,11 +691,19 @@ $c->admin_email = 'calendar-admin@example.com';
 //     'bindDN' => 'cn=calendar-manager,ou=users,dc=example,dc=net',
 //     'passDN' => 'xxxxxxxx',
 
-//     /* Perform a SASL bind (usually EXTERNAL/GSSAPI) instead of a
-//      * simple bind. Enable this if you would like to authenticate to
-//      * the LDAP server using Kerberos credentials.
+//     /* Perform a SASL bind instead of a simple bind. Uncomment this option
+//      * to authenticate to the LDAP server using Kerberos credentials or TLS
+//      * certificates.
+//      * Depending on the SASL mechanism used, you may need to set some of the
+//      * sasl_ options below. You may also need to set environment variables
+//      * in the PHP process (KRB5CCNAME, LDAPTLS_CERT, LDAPTLS_KEY, etc).
 //      */
-//     'sasl' => 'yes', // perform a sasl bind
+//     'sasl'          => 'yes',
+//     'sasl_mech'     => 'GSSAPI',
+//     'sasl_realm'    => 'EXAMPLE.COM',
+//     'sasl_authc_id' => null,
+//     'sasl_authz_id' => null,
+//     'sasl_props'    => null,
 
 //     'protocolVersion' => '3', // version of LDAP protocol to use
 //     'optReferrals'    => 0,   // whether to automatically follow referrals
@@ -780,6 +788,11 @@ $c->admin_email = 'calendar-admin@example.com';
 //     'host'              => 'ldap://ldap.example.net',
 //     'port'              => '389', // usually 636 for ldaps
 //     'sasl'              => 'yes',
+//     'sasl_mech'         => 'GSSAPI',
+//     'sasl_realm'        => 'EXAMPLE.COM',
+//     'sasl_authc_id'     => null,
+//     'sasl_authz_id'     => null,
+//     'sasl_props'        => null,
 //     'bindDN'            => 'cn=bind-user,cn=Users,dc=example,dc=net',
 //     'passDN'            => 'secret',
 //     'baseDNUsers'       => 'dc=example,dc=net',
diff --git a/inc/drivers_ldap.php b/inc/drivers_ldap.php
index 447e9fd9..01e3dd31 100644
--- a/inc/drivers_ldap.php
+++ b/inc/drivers_ldap.php
@@ -118,8 +118,20 @@ class ldapDriver
       //ldap_set_option(NULL, LDAP_OPT_DEBUG_LEVEL, 7);
 
       //connect as root
-      $bind_func = isset($config['sasl']) ? 'ldap_sasl_bind' : 'ldap_bind';
-      if (!$bind_func($this->connect, (isset($config['bindDN']) ? $config['bindDN'] : null), (isset($config['passDN']) ? $config['passDN'] : null) ) ){
+      if (isset($config['sasl'])){
+        $bind_result = ldap_sasl_bind(
+          $this->connect,
+          (isset($config['bindDN']) ? $config['bindDN'] : null),
+          (isset($config['passDN']) ? $config['passDN'] : null),
+          (isset($config['sasl_mech']) ? $config['sasl_mech'] : null),
+          (isset($config['sasl_realm']) ? $config['sasl_realm'] : null),
+          (isset($config['sasl_authc_id']) ? $config['sasl_authc_id'] : null),
+          (isset($config['sasl_authz_id']) ? $config['sasl_authz_id'] : null),
+          (isset($config['sasl_props']) ? $config['sasl_props'] : null) );
+      } else {
+        $bind_result = ldap_bind($this->connect, (isset($config['bindDN']) ? $config['bindDN'] : null), (isset($config['passDN']) ? $config['passDN'] : null) );
+      }
+      if (!$bind_result){
           $bindDN = isset($config['bindDN']) ? $config['bindDN'] : 'anonymous';
           $passDN = isset($config['passDN']) ? $config['passDN'] : 'anonymous';