diff -ur httpd-2.2.14/modules/aaa/mod_authnz_ldap.c httpd-2.2.14-patch/modules/aaa/mod_authnz_ldap.c
--- httpd-2.2.14/modules/aaa/mod_authnz_ldap.c	2009-09-20 13:50:19.000000000 -0400
+++ httpd-2.2.14-patch/modules/aaa/mod_authnz_ldap.c	2010-02-19 17:08:03.000000000 -0500
@@ -75,6 +75,7 @@
                                         it's the exact string passed by the HTTP client */
 
     int secure;                     /* True if SSL connections are requested */
+    int accept_ssl_auth             /* True if existence of a matching LDAP entry is sufficient authentication */ 
 } authn_ldap_config_t;
 
 typedef struct {
@@ -307,6 +308,7 @@
     sec->user_is_dn = 0;
     sec->remote_user_attribute = NULL;
     sec->compare_dn_on_server = 0;
+    sec->accept_ssl_auth = 0;
 
     return sec;
 }
@@ -378,7 +380,7 @@
                   "[%" APR_PID_T_FMT "] auth_ldap authenticate: using URL %s", getpid(), sec->url);
 
     /* Get the password that the client sent */
-    if (password == NULL) {
+    if (!sec->accept_ssl_auth && password == NULL) {
         ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
                       "[%" APR_PID_T_FMT "] auth_ldap authenticate: no password specified", getpid());
         util_ldap_connection_close(ldc);
@@ -396,8 +398,15 @@
     authn_ldap_build_filter(filtbuf, r, user, NULL, sec);
 
     /* do the user search */
-    result = util_ldap_cache_checkuserid(r, ldc, sec->url, sec->basedn, sec->scope,
-                                         sec->attributes, filtbuf, password, &dn, &vals);
+    result = sec->accept_ssl_auth ? 
+
+        /* authenticates the user if found in LDAP, without binding as the user */
+        util_ldap_cache_getuserdn(r, ldc, sec->url, sec->basedn, sec->scope,
+                                     sec->attributes, filtbuf, password, &dn, &vals) :
+
+        /* default: when querying the ldap server, bind as the user, using the supplied password */
+        util_ldap_cache_checkuserid(r, ldc, sec->url, sec->basedn, sec->scope,
+                                       sec->attributes, filtbuf, password, &dn, &vals);
     util_ldap_connection_close(ldc);
 
     /* sanity check - if server is down, retry it up to 5 times */
@@ -1115,6 +1124,12 @@
                   "Character set conversion configuration file. If omitted, character set"
                   "conversion is disabled."),
 
+    AP_INIT_FLAG("AuthLDAPAcceptClientCert", ap_set_flag_slot,
+                 (void *)APR_OFFSETOF(authn_ldap_config_t, accept_ssl_auth), OR_AUTHCFG,
+                 "Set to 'on' to authenticate the user if they have an entry matching their "
+                 "client SSL certificate's DN.  Note: Requires the +FakeBasicAuth option of "
+                 "mod_ssl. Defaults to off."),
+
     {NULL}
 };