diff --git a/libraries/libldap/cyrus.c b/libraries/libldap/cyrus.c
index d67d007823..6222090d23 100644
--- a/libraries/libldap/cyrus.c
+++ b/libraries/libldap/cyrus.c
@@ -753,13 +753,31 @@ ldap_int_sasl_bind(
 			/* we're done, no need to step */
 			if( scred ) {
 				/* but we got additional data? */
-				Debug( LDAP_DEBUG_TRACE,
-					"ldap_int_sasl_bind: rc=%d sasl=%d len=%ld\n",
-					rc, saslrc, scred ? scred->bv_len : -1 );
-
-				ber_bvfree( scred );
-				rc = ld->ld_errno = LDAP_LOCAL_ERROR;
-				goto done;
+#define KLUDGE_FOR_MSAD
+#ifdef 	KLUDGE_FOR_MSAD
+				/*
+				 * MSAD provides empty additional data in violation of LDAP
+				 * technical specifications.  As no existing SASL mechanism
+				 * allows empty data with an outcome message, just ignore it
+				 * for now.  Hopefully MS will fix their bug before someone
+				 * defines a mechanism with possibly empty additional data.
+				 */
+				if( scred->bv_len == 0 ) {
+					Debug( LDAP_DEBUG_ANY,
+						"ldap_int_sasl_bind: ignoring "
+							" bogus empty data provided with SASL outcome message.\n",
+						rc, saslrc, scred->bv_len );
+					ber_bvfree( scred );
+				} else
+#endif
+				{
+					Debug( LDAP_DEBUG_TRACE,
+						"ldap_int_sasl_bind: rc=%d sasl=%d len=%ld\n",
+						rc, saslrc, scred->bv_len );
+					rc = ld->ld_errno = LDAP_LOCAL_ERROR;
+					ber_bvfree( scred );
+					goto done;
+				}
 			}
 			break;
 		}