diff --git a/lam/lib/account.inc b/lam/lib/account.inc
index 1de3737c..1c29960c 100644
--- a/lam/lib/account.inc
+++ b/lam/lib/account.inc
@@ -188,9 +188,9 @@ function pwd_hash($password, $enabled = true, $hashType = 'SSHA') {
 function getSupportedHashTypes() {
 	if (version_compare(phpversion(), '5.3.2') < 0) {
 		// CRYPT-SHA512 requires PHP 5.3.2 or higher
-		return array('CRYPT', 'SHA', 'SSHA', 'MD5', 'SMD5', 'PLAIN');
+		return array('CRYPT', 'SHA', 'SSHA', 'MD5', 'SMD5', 'PLAIN', 'SASL');
 	}
-	return array('CRYPT', 'CRYPT-SHA512', 'SHA', 'SSHA', 'MD5', 'SMD5', 'PLAIN');
+	return array('CRYPT', 'CRYPT-SHA512', 'SHA', 'SSHA', 'MD5', 'SMD5', 'PLAIN', 'SASL');
 }
 
 /**
@@ -271,6 +271,10 @@ function pwd_is_lockable($password) {
 	if (($password == null) || (strlen($password) < 5)) {
 		return false;
 	}
+	// SASL is not lockable
+	if (strpos($password, '{SASL}') === 0) {
+		return false;
+	}
 	return ((substr($password, 0, 1) == "{") || (substr($password, 1, 1) == "{")) && (strpos($password, "}") > 3);
 }
 
diff --git a/lam/lib/modules/inetOrgPerson.inc b/lam/lib/modules/inetOrgPerson.inc
index 0fd81990..a3dcc09e 100644
--- a/lam/lib/modules/inetOrgPerson.inc
+++ b/lam/lib/modules/inetOrgPerson.inc
@@ -1163,6 +1163,12 @@ class inetOrgPerson extends baseModule implements passwordService {
 				if (isset($_POST['removePassword'])) {
 					unset($this->attributes['userPassword']);
 				}
+				// set SASL password for new and renamed users
+				if (!empty($this->attributes['uid'][0]) && !empty($this->moduleSettings['posixAccount_pwdHash'][0])
+						&& ($this->moduleSettings['posixAccount_pwdHash'][0] === 'SASL')
+						&& ($this->getAccountContainer()->isNewAccount || ($this->attributes['uid'][0] != $this->orig['uid'][0]))) {
+					$this->attributes['userPassword'][0] = '{SASL}' . $this->attributes['uid'][0];
+				}
 			}
 		}
 		
@@ -2387,15 +2393,22 @@ class inetOrgPerson extends baseModule implements passwordService {
 					}
 				}
 				// password
-				if (($rawAccounts[$i][$ids['inetOrgPerson_userPassword']] != "") && (get_preg($rawAccounts[$i][$ids['inetOrgPerson_userPassword']], 'password'))) {
-					$partialAccounts[$i]['userPassword'] = pwd_hash($rawAccounts[$i][$ids['inetOrgPerson_userPassword']], true, $this->moduleSettings['posixAccount_pwdHash'][0]);
-					$partialAccounts[$i]['INFO.userPasswordClearText'] = $rawAccounts[$i][$ids['inetOrgPerson_userPassword']]; // for custom scripts etc.
+				// set SASL password
+				if (!empty($this->moduleSettings['posixAccount_pwdHash'][0]) && ($this->moduleSettings['posixAccount_pwdHash'][0] === 'SASL')) {
+					$partialAccounts[$i]['userPassword'] = '{SASL}' . $partialAccounts[$i]['uid'];
 				}
-				elseif ($rawAccounts[$i][$ids['inetOrgPerson_userPassword']] != "") {
-					$errMsg = $this->messages['userPassword'][0];
-					$errMsg[2] = str_replace('%', '%%', $errMsg[2]); // double "%" because of later sprintf
-					array_push($errMsg, array($i));
-					$errors[] = $errMsg;
+				// set normal password
+				else {
+					if (($rawAccounts[$i][$ids['inetOrgPerson_userPassword']] != "") && (get_preg($rawAccounts[$i][$ids['inetOrgPerson_userPassword']], 'password'))) {
+						$partialAccounts[$i]['userPassword'] = pwd_hash($rawAccounts[$i][$ids['inetOrgPerson_userPassword']], true, $this->moduleSettings['posixAccount_pwdHash'][0]);
+						$partialAccounts[$i]['INFO.userPasswordClearText'] = $rawAccounts[$i][$ids['inetOrgPerson_userPassword']]; // for custom scripts etc.
+					}
+					elseif ($rawAccounts[$i][$ids['inetOrgPerson_userPassword']] != "") {
+						$errMsg = $this->messages['userPassword'][0];
+						$errMsg[2] = str_replace('%', '%%', $errMsg[2]); // double "%" because of later sprintf
+						array_push($errMsg, array($i));
+						$errors[] = $errMsg;
+					}
 				}
 			}
 		}
@@ -3513,7 +3526,15 @@ class inetOrgPerson extends baseModule implements passwordService {
 		}
 		// set new password
 		$this->clearTextPassword = $password;
-		$this->attributes['userPassword'][0] = pwd_hash($password, true, $this->moduleSettings['posixAccount_pwdHash'][0]);
+		// set SASL password
+		if (!empty($this->attributes['uid'][0]) && !empty($this->moduleSettings['posixAccount_pwdHash'][0])
+				&& ($this->moduleSettings['posixAccount_pwdHash'][0] === 'SASL')) {
+			$this->attributes['userPassword'][0] = '{SASL}' . $this->attributes['uid'][0];
+		}
+		// set normal password
+		else {
+			$this->attributes['userPassword'][0] = pwd_hash($password, true, $this->moduleSettings['posixAccount_pwdHash'][0]);
+		}
 		return array();
 	}
 	
diff --git a/lam/lib/modules/posixAccount.inc b/lam/lib/modules/posixAccount.inc
index cfd69454..ebb4f717 100644
--- a/lam/lib/modules/posixAccount.inc
+++ b/lam/lib/modules/posixAccount.inc
@@ -666,11 +666,12 @@ class posixAccount extends baseModule implements passwordService {
 	* <br>"info" are values with informational value (e.g. to be used later by pre/postModify actions)
 	*/
 	function save_attributes() {
-		$return = $this->getAccountContainer()->save_module_attributes($this->attributes, $this->orig);
 		if (!in_array('posixAccount', $this->attributes['objectClass']) && !in_array('posixAccount', $this->orig['objectClass'])) {
 			// skip saving if the extension was not added/modified
 			return array();
 		}
+		// get default changes
+		$return = $this->getAccountContainer()->save_module_attributes($this->attributes, $this->orig);
 		// add information about clear text password and password status change
 		$return[$this->getAccountContainer()->dn_orig]['info']['userPasswordClearText'][0] = $this->clearTextPassword;
 		$pwdAttrName = $this->getPasswordAttrName();
@@ -1226,6 +1227,14 @@ class posixAccount extends baseModule implements passwordService {
 				}
 			}
 		}
+		if ($this->get_scope() == 'user') {
+			// set SASL password for new and renamed users
+			if (!empty($this->attributes['uid'][0]) && !empty($this->moduleSettings['posixAccount_pwdHash'][0])
+					&& ($this->moduleSettings['posixAccount_pwdHash'][0] === 'SASL')
+					&& ($this->getAccountContainer()->isNewAccount || ($this->attributes['uid'][0] != $this->orig['uid'][0]))) {
+				$this->attributes[$this->getPasswordAttrName()][0] = '{SASL}' . $this->attributes['uid'][0];
+			}
+		}
 		// Return error-messages
 		return $errors;
 	}
@@ -2146,15 +2155,22 @@ class posixAccount extends baseModule implements passwordService {
 					$errors[] = $errMsg;
 				}
 				// password
-				if (($rawAccount[$ids['posixAccount_password']] != "") && (get_preg($rawAccount[$ids['posixAccount_password']], 'password'))) {
-					$partialAccounts[$i][$pwdAttrName] = pwd_hash($rawAccount[$ids['posixAccount_password']], $pwd_enabled, $this->moduleSettings['posixAccount_pwdHash'][0]);
-					$partialAccounts[$i]['INFO.userPasswordClearText'] = $rawAccount[$ids['posixAccount_password']]; // for custom scripts etc.
+				// set SASL passwords
+				if (!empty($this->moduleSettings['posixAccount_pwdHash'][0]) && ($this->moduleSettings['posixAccount_pwdHash'][0] === 'SASL')) {
+					$partialAccounts[$i][$pwdAttrName] = '{SASL}' . $partialAccounts[$i]['uid'];
 				}
-				elseif ($rawAccount[$ids['posixAccount_password']] != "") {
-					$errMsg = $this->messages['userPassword'][4];
-					$errMsg[2] = str_replace('%', '%%', $errMsg[2]); // double "%" because of later sprintf
-					array_push($errMsg, array($i));
-					$errors[] = $errMsg;
+				// set normal password
+				else {
+					if (($rawAccount[$ids['posixAccount_password']] != "") && (get_preg($rawAccount[$ids['posixAccount_password']], 'password'))) {
+						$partialAccounts[$i][$pwdAttrName] = pwd_hash($rawAccount[$ids['posixAccount_password']], $pwd_enabled, $this->moduleSettings['posixAccount_pwdHash'][0]);
+						$partialAccounts[$i]['INFO.userPasswordClearText'] = $rawAccount[$ids['posixAccount_password']]; // for custom scripts etc.
+					}
+					elseif ($rawAccount[$ids['posixAccount_password']] != "") {
+						$errMsg = $this->messages['userPassword'][4];
+						$errMsg[2] = str_replace('%', '%%', $errMsg[2]); // double "%" because of later sprintf
+						array_push($errMsg, array($i));
+						$errors[] = $errMsg;
+					}
 				}
 				// cn
 				if ($this->manageCn()) {
@@ -2705,7 +2721,15 @@ class posixAccount extends baseModule implements passwordService {
 		}
 		// set new password
 		$this->clearTextPassword = $password;
-		$this->attributes[$this->getPasswordAttrName()][0] = pwd_hash($password, true, $this->moduleSettings['posixAccount_pwdHash'][0]);
+		// set SASL password
+		if (!empty($this->attributes['uid'][0]) && !empty($this->moduleSettings['posixAccount_pwdHash'][0])
+				&& ($this->moduleSettings['posixAccount_pwdHash'][0] === 'SASL')) {
+			$this->attributes[$this->getPasswordAttrName()][0] = '{SASL}' . $this->attributes['uid'][0];
+		}
+		// set normal password
+		else {
+			$this->attributes[$this->getPasswordAttrName()][0] = pwd_hash($password, true, $this->moduleSettings['posixAccount_pwdHash'][0]);
+		}
 		return array();
 	}