diff --git a/clients/tools/ldappasswd.c b/clients/tools/ldappasswd.c
index 6ba2a824ae..daa71fb3a9 100644
--- a/clients/tools/ldappasswd.c
+++ b/clients/tools/ldappasswd.c
@@ -56,6 +56,7 @@
 static struct berval newpw = { 0, NULL };
 static struct berval oldpw = { 0, NULL };
 
+static int   want_bindearly = 0;
 static int   want_newpw = 0;
 static int   want_oldpw = 0;
 
@@ -69,6 +70,7 @@ usage( void )
 	fprintf( stderr,_("usage: %s [options] [user]\n"), prog);
 	fprintf( stderr, _("  user: the authentication identity, commonly a DN\n"));
 	fprintf( stderr, _("Password change options:\n"));
+	fprintf( stderr, _("  -E         bind early\n"));
 	fprintf( stderr, _("  -a secret  old password\n"));
 	fprintf( stderr, _("  -A         prompt for old password\n"));
 	fprintf( stderr, _("  -t file    read file for old password\n"));
@@ -80,7 +82,7 @@ usage( void )
 }
 
 
-const char options[] = "a:As:St:T:"
+const char options[] = "Ea:As:St:T:"
 	"d:D:e:h:H:InNO:o:p:QR:U:vVw:WxX:y:Y:Z";
 
 int
@@ -117,6 +119,11 @@ handle_private_option( int i )
 		}
 #endif
 
+	case 'E':	/* bind to the LDAP server before other actions */
+		want_bindearly++;
+		break;
+
+
 	case 'a':	/* old password (secret) */
 		oldpw.bv_val = strdup( optarg );
 		{
@@ -195,6 +202,13 @@ main( int argc, char *argv[] )
 		user = NULL;
 	}
 
+	if( want_bindearly ) {
+		/* bind */
+		ld = tool_conn_setup( 0, 0 );
+
+		tool_bind( ld );
+	}
+
 	if( oldpwfile ) {
 		rc = lutil_get_filed_password( oldpwfile, &oldpw );
 		if( rc ) {
@@ -245,9 +259,12 @@ main( int argc, char *argv[] )
 		newpw.bv_len = strlen( newpw.bv_val );
 	}
 
-	ld = tool_conn_setup( 0, 0 );
+	if( ! want_bindearly ) {
+		/* bind */
+		ld = tool_conn_setup( 0, 0 );
 
-	tool_bind( ld );
+		tool_bind( ld );
+	}
 
 	if( user != NULL || oldpw.bv_val != NULL || newpw.bv_val != NULL ) {
 		/* build the password modify request data */