diff --git a/servers/slapd/backend.c b/servers/slapd/backend.c
index 04fac3ccec..c71e1df78c 100644
--- a/servers/slapd/backend.c
+++ b/servers/slapd/backend.c
@@ -914,6 +914,14 @@ backend_check_restrictions(
 				*text = "modifications require authentication";
 				return LDAP_STRONG_AUTH_REQUIRED;
 			}
+
+#ifdef SLAP_X_LISTENER_MOD
+			if ( ! ( conn->c_listener->sl_perms & S_IWUSR ) ) {
+				/* no "w" mode means readonly */
+				*text = "modifications not allowed on this listener";
+				return LDAP_UNWILLING_TO_PERFORM;
+			}
+#endif /* SLAP_X_LISTENER_MOD */
 		}
 	}
 
@@ -964,6 +972,25 @@ backend_check_restrictions(
 				return LDAP_OPERATIONS_ERROR;
 			}
 		}
+
+#ifdef SLAP_X_LISTENER_MOD
+		if ( !starttls && op->o_dn.bv_len == 0 ) {
+			if ( ! ( conn->c_listener->sl_perms & S_IXUSR ) ) {
+				/* no "x" mode means bind required */
+				*text = "bind required on this listener";
+				return LDAP_CONFIDENTIALITY_REQUIRED;
+			}
+		}
+
+		if ( !starttls && !updateop ) {
+			if ( ! ( conn->c_listener->sl_perms & S_IRUSR ) ) {
+				/* no "r" mode means no read */
+				*text = "read not allowed on this listener";
+				return LDAP_UNWILLING_TO_PERFORM;
+			}
+		}
+#endif /* SLAP_X_LISTENER_MOD */
+
 	}
 
 	if( restrictops & opflag ) {
diff --git a/servers/slapd/daemon.c b/servers/slapd/daemon.c
index fd1d84f8a9..128fe16119 100644
--- a/servers/slapd/daemon.c
+++ b/servers/slapd/daemon.c
@@ -311,7 +311,7 @@ static void slap_free_listener_addresses(struct sockaddr **sal)
 	ch_free(sal);
 }
 
-#ifdef LDAP_PF_LOCAL
+#if defined(LDAP_PF_LOCAL) || defined(SLAP_X_LISTENER_MOD)
 static int get_url_perms(
 	char 	**exts,
 	mode_t	*perms,
@@ -392,7 +392,7 @@ static int get_url_perms(
 
 	return LDAP_OTHER;
 }
-#endif /* LDAP_PF_LOCAL */
+#endif /* LDAP_PF_LOCAL || SLAP_X_LISTENER_MOD */
 
 /* port = 0 indicates AF_LOCAL */
 static int slap_get_listener_addresses(
@@ -587,13 +587,12 @@ static int slap_open_listener(
 	struct sockaddr **sal, **psal;
 	int socktype = SOCK_STREAM;	/* default to COTS */
 
-#ifdef LDAP_PF_LOCAL
+#if defined(LDAP_PF_LOCAL) || defined(SLAP_X_LISTENER_MOD)
 	/*
 	 * use safe defaults
 	 */
-	mode_t 	perms = S_IRWXU;
 	int	crit = 1;
-#endif
+#endif /* LDAP_PF_LOCAL || SLAP_X_LISTENER_MOD */
 
 	rc = ldap_url_parse( url, &lud );
 
@@ -648,10 +647,6 @@ static int slap_open_listener(
 		} else {
 			err = slap_get_listener_addresses(lud->lud_host, 0, &sal);
 		}
-
-		if ( lud->lud_exts ) {
-			err = get_url_perms( lud->lud_exts, &perms, &crit );
-		}
 #else
 
 #ifdef NEW_LOGGING
@@ -677,6 +672,14 @@ static int slap_open_listener(
 		}
 	}
 
+#if defined(LDAP_PF_LOCAL) || defined(SLAP_X_LISTENER_MOD)
+	if ( lud->lud_exts ) {
+		err = get_url_perms( lud->lud_exts, &l.sl_perms, &crit );
+	} else {
+		l.sl_perms = S_IRWXU;
+	}
+#endif /* LDAP_PF_LOCAL || SLAP_X_LISTENER_MOD */
+
 	ldap_free_urldesc( lud );
 	if ( err ) {
 		return -1;
@@ -820,7 +823,7 @@ static int slap_open_listener(
 #ifdef LDAP_PF_LOCAL
 	case AF_LOCAL: {
 		char *addr = ((struct sockaddr_un *)*sal)->sun_path;
-		if ( chmod( addr, perms ) < 0 && crit ) {
+		if ( chmod( addr, l.sl_perms ) < 0 && crit ) {
 			int err = sock_errno();
 #ifdef NEW_LOGGING
 			LDAP_LOG( CONNECTION, INFO, 
diff --git a/servers/slapd/slap.h b/servers/slapd/slap.h
index da5530b06c..0a27ab8706 100644
--- a/servers/slapd/slap.h
+++ b/servers/slapd/slap.h
@@ -1731,6 +1731,9 @@ typedef struct slap_conn {
 struct slap_listener {
 	struct berval sl_url;
 	struct berval sl_name;
+#ifdef SLAP_X_LISTENER_MOD
+	mode_t		sl_perms;
+#endif /* SLAP_X_LISTENER_MOD */
 #ifdef HAVE_TLS
 	int		sl_is_tls;
 #endif