--- a/src/auth/db-ldap.c	Thu Oct 05 20:25:29 2017 +0300
+++ b/src/auth/db-ldap.c	Fri Sep 15 15:17:08 2017 +0300
@@ -76,6 +76,8 @@
 
 	bool skip_null_values;
 	bool iter_dn_values;
+	LDAPMessage *ldap_msg;
+	LDAP *ld;
 };
 
 struct db_ldap_sasl_bind_context {
@@ -1576,6 +1578,8 @@
 	ctx->var = str_new(ctx->pool, 256);
 	if (ctx->auth_request->debug)
 		ctx->debug = t_str_new(256);
+	ctx->ldap_msg = res;
+	ctx->ld = conn->ld;
 
 	get_ldap_fields(ctx, conn, res, "");
 	if (array_is_created(&ldap_request->named_results)) {
@@ -1652,9 +1656,19 @@
 	return db_ldap_field_expand(field_name, ctx);
 }
 
+static int
+db_ldap_field_dn_expand(const char *data ATTR_UNUSED, void *context ATTR_UNUSED,
+			 const char **value_r, const char **error_r ATTR_UNUSED)
+{
+	struct db_ldap_result_iterate_context *ctx = context;
+	*value_r = ldap_get_dn(ctx->ld, ctx->ldap_msg);
+	return 1;
+}
+
 static struct var_expand_func_table ldap_var_funcs_table[] = {
 	{ "ldap", db_ldap_field_expand },
 	{ "ldap_ptr", db_ldap_field_ptr_expand },
+	{ "ldap_dn", db_ldap_field_dn_expand },
 	{ NULL, NULL }
 };