diff --git a/ldap/manifests/init.pp b/ldap/manifests/init.pp
index 856cfe6..e7f27d4 100644
--- a/ldap/manifests/init.pp
+++ b/ldap/manifests/init.pp
@@ -14,11 +14,37 @@
 #
 # === Parameters
 #
+#   $auth:
+#       Authentication method to use for LDAP queries. Valid values
+#       are anonymous, bind and gssapi. Default is anonymous.
+#
+#   $credentials:
+#       Credentials for authentication. For simple bind use array
+#       containig user dn and password. For gssapi use array containing
+#       principal name.
+#
 #   $mapping:
 #       Attribute mapping to use. Valid values are ad and rfc2307.
 #       Default is rfc2307.
 #
-class ldap::auth($mapping="rfc2307") inherits ldap::client {
+# === Sample usage
+#
+# class { "ldap::auth":
+#     auth        => "bind",
+#     credentials => [ "uid=user,dc=example,dc=com", "secret", ],
+# }
+#
+# class { "ldap::auth":
+#     auth        => "gssapi",
+#     credentials => [ "MYHOST\$@EXAMPLE.COM" ],
+#     mapping     => "ad",
+# }
+#
+class ldap::auth(
+    $auth="anonymous",
+    $credentials=[],
+    $mapping="rfc2307"
+) inherits ldap::client {
 
     include pam::common
 
@@ -31,6 +57,27 @@ class ldap::auth($mapping="rfc2307") inherits ldap::client {
         $ssl = "off"
     }
 
+    case $auth {
+        "anonymous": {}
+        "bind": {
+            if !$credentials[0] and !$credentials[1] {
+                fail("no \$credentials argument set")
+            }
+        }
+        "gssapi": {
+            require kerberos::kstart
+            require sasl::client
+            if $credentials[0] {
+                $principal = $credentials[0]
+            } else {
+                $principal = "host/${::homename}"
+            }
+        }
+        default: {
+            fail("unsupported auth value \"${auth}\"")
+        }
+    }
+
     if $::kernel == "Linux" {
         include nscd
     }
@@ -58,6 +105,9 @@ class ldap::auth($mapping="rfc2307") inherits ldap::client {
                         group   => "root",
                         notify  => Service["nslcd"],
                     }
+                    if $auth == "gssapi" {
+                        fail("gssapi not supported on ${::operatingsystem}")
+                    }
                     augeas { "pam-ldap-conf":
                         changes => [ "set ssl ${ssl}",
                                      "set pam_password exop",
@@ -111,6 +161,13 @@ class ldap::auth($mapping="rfc2307") inherits ldap::client {
                 require => Package["libnss-ldapd"],
                 notify  => Service["nslcd"],
             }
+            if $auth == "gssapi" { 
+                augeas { "ldap-auth-set-principal":
+                    context => "/files/etc/default/nslcd",
+                    changes => "set K5START_PRINCIPAL '${principal}'",
+                    notify  => Service["nslcd"],
+                }
+            }
             service { "nslcd":
                 ensure => running,
                 enable => true,
diff --git a/ldap/templates/nslcd.conf.erb b/ldap/templates/nslcd.conf.erb
index b62691c..ac5086d 100644
--- a/ldap/templates/nslcd.conf.erb
+++ b/ldap/templates/nslcd.conf.erb
@@ -25,6 +25,15 @@ pagesize 500
 map group member uniqueMember
 <%   end -%>
 <% end -%>
+<% if @auth == 'bind' -%>
+
+binddn <%= @credentials[0] %>
+bindpw <%= @credentials[1] %>
+<% elsif @auth == 'gssapi' -%>
+
+sasl_mech GSSAPI
+krb5_ccname FILE:/var/run/nslcd/krb5cc_nslcd
+<% end -%>
 
 <% if @ldap_uri =~ /^ldaps:/ -%>
 ssl on