diff --git a/servers/lloadd/connection.c b/servers/lloadd/connection.c
index b1bbff86f3..0192019f05 100644
--- a/servers/lloadd/connection.c
+++ b/servers/lloadd/connection.c
@@ -357,6 +357,11 @@ connection_destroy( LloadConnection *c )
         c->c_sasl_defaults = NULL;
     }
     if ( c->c_sasl_authctx ) {
+#ifdef SASL_CHANNEL_BINDING /* 2.1.25+ */
+        if ( c->c_sasl_cbinding ) {
+            ch_free( c->c_sasl_cbinding );
+        }
+#endif
         sasl_dispose( &c->c_sasl_authctx );
     }
 #endif /* HAVE_CYRUS_SASL */
diff --git a/servers/lloadd/lload.h b/servers/lloadd/lload.h
index 8c58e3dfb0..d27b650451 100644
--- a/servers/lloadd/lload.h
+++ b/servers/lloadd/lload.h
@@ -340,6 +340,10 @@ struct LloadConnection {
 #ifdef HAVE_CYRUS_SASL
     sasl_conn_t *c_sasl_authctx;
     void *c_sasl_defaults;
+#ifdef SASL_CHANNEL_BINDING /* 2.1.25+ */
+    sasl_channel_binding_t *c_sasl_cbinding; /* Else cyrus-sasl would happily
+                                              * leak it on sasl_dispose */
+#endif /* SASL_CHANNEL_BINDING */
 #endif /* HAVE_CYRUS_SASL */
 
 #ifdef LDAP_API_FEATURE_VERIFY_CREDENTIALS
diff --git a/servers/lloadd/upstream.c b/servers/lloadd/upstream.c
index 458af0c1e4..a9d7f154fe 100644
--- a/servers/lloadd/upstream.c
+++ b/servers/lloadd/upstream.c
@@ -321,6 +321,7 @@ sasl_bind_step( LloadConnection *c, BerValue *scred, BerValue *ccred )
                     cb->data = cb_data = cb + 1;
                     memcpy( cb_data, cbv.bv_val, cbv.bv_len );
                     sasl_setprop( ctx, SASL_CHANNEL_BINDING, cb );
+                    c->c_sasl_cbinding = cb;
                 }
             }
 #endif