diff --git a/.travis.yml b/.travis.yml
index ad9cd967..960f6db2 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -34,6 +34,14 @@ matrix:
       env:
         - TOXENV=py36
         - WITH_GCOV=1
+    - python: 2.7
+      env:
+        - TOXENV=py2-nosasltls
+        - WITH_GCOV=1
+    - python: 3.6
+      env:
+        - TOXENV=py3-nosasltls
+        - WITH_GCOV=1
     - python: 3.6
       env: TOXENV=doc
 
diff --git a/Doc/contributing.rst b/Doc/contributing.rst
index 3a904d34..aa6097d0 100644
--- a/Doc/contributing.rst
+++ b/Doc/contributing.rst
@@ -146,6 +146,8 @@ for checking things independent of the Python version:
 * ``doc`` checks syntax and spelling of the documentation
 * ``coverage-report`` generates a test coverage report for Python code.
   It must be used last, e.g. ``tox -e py27,py36,coverage-report``.
+* ``py2-nosasltls`` and ``py3-nosasltls`` check functionality without
+  SASL and TLS bindings compiled in.
 
 
 When your change is ready, commit to Git, and submit a pull request on GitHub.
diff --git a/Lib/slapdtest/__init__.py b/Lib/slapdtest/__init__.py
index a1acd2b7..d7d19fdc 100644
--- a/Lib/slapdtest/__init__.py
+++ b/Lib/slapdtest/__init__.py
@@ -8,4 +8,4 @@
 __version__ = '3.0.0b1'
 
 from slapdtest._slapdtest import SlapdObject, SlapdTestCase, SysLogHandler
-from slapdtest._slapdtest import skip_unless_ci, requires_tls
+from slapdtest._slapdtest import skip_unless_ci, requires_sasl, requires_tls
diff --git a/Lib/slapdtest/_slapdtest.py b/Lib/slapdtest/_slapdtest.py
index 29005811..5ba64642 100644
--- a/Lib/slapdtest/_slapdtest.py
+++ b/Lib/slapdtest/_slapdtest.py
@@ -64,13 +64,16 @@ def identity(test_item):
     return test_item
 
 
-def skip_unless_ci(reason):
+def skip_unless_ci(reason, feature=None):
     """Skip test unless test case is executed on CI like Travis CI
     """
-    if os.environ.get('CI', False):
-        return identity
-    else:
+    if not os.environ.get('CI', False):
+        return unittest.skip(reason)
+    elif feature in os.environ.get('CI_DISABLED', '').split(':'):
         return unittest.skip(reason)
+    else:
+        # Don't skip on Travis
+        return identity
 
 
 def requires_tls(skip_nss=False):
@@ -81,16 +84,25 @@ def requires_tls(skip_nss=False):
     :param skip_nss: Skip test when libldap is compiled with NSS as TLS lib
     """
     if not ldap.TLS_AVAIL:
-        return skip_unless_ci("test needs ldap.TLS_AVAIL")
+        return skip_unless_ci("test needs ldap.TLS_AVAIL", feature='TLS')
     elif skip_nss and ldap.get_option(ldap.OPT_X_TLS_PACKAGE) == 'MozNSS':
         return skip_unless_ci(
             "Test doesn't work correctly with Mozilla NSS, see "
-            "https://bugzilla.redhat.com/show_bug.cgi?id=1519167"
+            "https://bugzilla.redhat.com/show_bug.cgi?id=1519167",
+            feature="NSS"
         )
     else:
         return identity
 
 
+def requires_sasl():
+    if not ldap.SASL_AVAIL:
+        return skip_unless_ci(
+            "test needs ldap.SASL_AVAIL", feature='SASL')
+    else:
+        return identity
+
+
 def combined_logger(
         log_name,
         log_level=logging.WARN,
diff --git a/Tests/t_cext.py b/Tests/t_cext.py
index be858e95..4ef5d0eb 100644
--- a/Tests/t_cext.py
+++ b/Tests/t_cext.py
@@ -212,6 +212,21 @@ def test_constants(self):
         self.assertNotNone(_ldap.URL_ERR_BADSCOPE)
         self.assertNotNone(_ldap.URL_ERR_MEM)
 
+    def test_test_flags(self):
+        # test flag, see slapdtest and tox.ini
+        disabled = os.environ.get('CI_DISABLED')
+        if not disabled:
+            self.skipTest("No CI_DISABLED env var")
+        disabled = set(disabled.split(':'))
+        if 'TLS' in disabled:
+            self.assertFalse(_ldap.TLS_AVAIL)
+        else:
+            self.assertFalse(_ldap.TLS_AVAIL)
+        if 'SASL' in disabled:
+            self.assertFalse(_ldap.SASL_AVAIL)
+        else:
+            self.assertFalse(_ldap.SASL_AVAIL)
+
     def test_simple_bind(self):
         l = self._open_conn()
 
diff --git a/Tests/t_ldap_sasl.py b/Tests/t_ldap_sasl.py
index 9acd051e..2fa4dbcc 100644
--- a/Tests/t_ldap_sasl.py
+++ b/Tests/t_ldap_sasl.py
@@ -14,7 +14,7 @@
 
 from ldap.ldapobject import SimpleLDAPObject
 import ldap.sasl
-from slapdtest import SlapdTestCase, requires_tls
+from slapdtest import SlapdTestCase, requires_sasl, requires_tls
 
 
 LDIF = """
@@ -39,6 +39,7 @@
 """
 
 
+@requires_sasl()
 class TestSasl(SlapdTestCase):
     ldap_object_class = SimpleLDAPObject
     # from Tests/certs/client.pem
diff --git a/Tests/t_ldapobject.py b/Tests/t_ldapobject.py
index d55d0181..9b6a090e 100644
--- a/Tests/t_ldapobject.py
+++ b/Tests/t_ldapobject.py
@@ -19,7 +19,7 @@
 import os
 import unittest
 import pickle
-from slapdtest import SlapdTestCase
+from slapdtest import SlapdTestCase, requires_sasl
 
 # Switch off processing .ldaprc or ldap.conf before importing _ldap
 os.environ['LDAPNOINIT'] = '1'
@@ -298,6 +298,7 @@ def test005_invalid_credentials(self):
         else:
             self.fail("expected INVALID_CREDENTIALS, got %r" % r)
 
+    @requires_sasl()
     def test006_sasl_extenal_bind_s(self):
         l = self.ldap_object_class(self.server.ldapi_uri)
         l.sasl_external_bind_s()
@@ -322,6 +323,7 @@ class Test01_ReconnectLDAPObject(Test00_SimpleLDAPObject):
 
     ldap_object_class = ReconnectLDAPObject
 
+    @requires_sasl()
     def test101_reconnect_sasl_external(self):
         l = self.ldap_object_class(self.server.ldapi_uri)
         l.sasl_external_bind_s()
diff --git a/tox.ini b/tox.ini
index 51f8981d..6d984c0f 100644
--- a/tox.ini
+++ b/tox.ini
@@ -5,7 +5,8 @@
 
 [tox]
 # Note: when updating Python versions, also change setup.py and .travis.yml
-envlist = py27,py33,py34,py35,py36,doc,coverage-report
+envlist = py27,py33,py34,py35,py36,{py2,py3}-nosasltls,doc,coverage-report
+minver = 1.8
 
 [testenv]
 deps = coverage
@@ -21,9 +22,30 @@ commands = {envpython} -bb -Werror \
 
 [testenv:py27]
 # No warnings with Python 2.7
+passenv = {[testenv]passenv}
 commands = {envpython} \
     -m coverage run --parallel setup.py test
 
+[testenv:py2-nosasltls]
+basepython = python2
+deps = {[testenv]deps}
+passenv = {[testenv]passenv}
+setenv =
+    CI_DISABLED=TLS:SASL
+# rebuild without SASL and TLS
+commands = {envpython} \
+    -m coverage run --parallel setup.py \
+        clean --all \
+        build_ext -UHAVE_SASL,HAVE_TLS \
+        test
+
+[testenv:py3-nosasltls]
+basepython = python3
+deps = {[testenv]deps}
+passenv = {[testenv]passenv}
+setenv = {[testenv:py2-nosasltls]setenv}
+commands = {[testenv:py2-nosasltls]commands}
+
 [testenv:coverage-report]
 deps = coverage
 skip_install = true

<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Transitional//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd'>
<html xmlns='http://www.w3.org/1999/xhtml'>
<head>
<title>pFad - Phonifier reborn</title>
<meta http-equiv='Content-Type' content='text/html; charset=utf-8' />
</head>
<body>
<h1>Pfad - The Proxy pFad of &#169; 2024 Garber Painting. All rights reserved.</h1>


<!-- Disclaimer -->
<p>Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.</p>
<br>
<p>Alternative Proxies:</p><p><a href="http://rainy.clevelandohioweatherforecast.com/php-proxy/index.php?q=https://patch-diff.githubusercontent.com/raw/python-ldap/python-ldap/pull/91.diff" target="_blank">Alternative Proxy</a></p><p><a href="http://rainy.clevelandohioweatherforecast.com/pFad/index.php?u=https://patch-diff.githubusercontent.com/raw/python-ldap/python-ldap/pull/91.diff" target="_blank">pFad Proxy</a></p><p><a href="http://rainy.clevelandohioweatherforecast.com/pFad/v3index.php?u=https://patch-diff.githubusercontent.com/raw/python-ldap/python-ldap/pull/91.diff" target="_blank">pFad v3 Proxy</a></p><p><a href="http://rainy.clevelandohioweatherforecast.com/pFad/v4index.php?u=https://patch-diff.githubusercontent.com/raw/python-ldap/python-ldap/pull/91.diff" target="_blank">pFad v4 Proxy</a></p></body>
</html>