--- a/configure.in	Sat Jun 17 22:15:20 2006 +0300
+++ b/configure.in	Sat Jun 17 22:32:14 2006 +0300
@@ -1412,6 +1412,9 @@
 			AC_CHECK_LIB(ldap, ldap_initialize, [
 				AC_DEFINE(LDAP_HAVE_INITIALIZE,, Define if you have ldap_initialize)
 			])
+			AC_CHECK_LIB(ldap, ldap_start_tls_s, [
+				AC_DEFINE(LDAP_HAVE_START_TLS_S,, Define if you have ldap_start_tls_s)
+			])
 			AUTH_LIBS="$AUTH_LIBS -lldap"
 
         		AC_DEFINE(USERDB_LDAP,, Build with LDAP support)

--- a/src/auth/db-ldap.c	Sat Jun 17 22:15:20 2006 +0300
+++ b/src/auth/db-ldap.c	Sat Jun 17 22:32:14 2006 +0300
@@ -35,6 +35,7 @@
 	DEF(SET_STR, dnpass),
 	DEF(SET_BOOL, auth_bind),
 	DEF(SET_STR, auth_bind_userdn),
+	DEF(SET_BOOL, tls),
 	DEF(SET_BOOL, sasl_bind),
 	DEF(SET_STR, sasl_mech),
 	DEF(SET_STR, sasl_realm),
@@ -62,6 +63,7 @@
 	MEMBER(dnpass) NULL,
 	MEMBER(auth_bind) FALSE,
 	MEMBER(auth_bind_userdn) NULL,
+	MEMBER(tls) FALSE,
 	MEMBER(sasl_bind) FALSE,
 	MEMBER(sasl_mech) NULL,
 	MEMBER(sasl_realm) NULL,
@@ -298,6 +300,20 @@
 		}
 	}
 
+	if (conn->set.tls) {
+#ifdef LDAP_HAVE_START_TLS_S
+		ret = ldap_start_tls_s(conn->ld, NULL, NULL);
+		if (ret != LDAP_SUCCESS) {
+			i_error("LDAP: ldap_start_tls_s() failed: %s",
+				ldap_err2string(ret));
+			return FALSE;
+		}
+#else
+		i_error("LDAP: Your LDAP library doesn't support TLS");
+		return FALSE;
+#endif
+	}
+
 	/* FIXME: we shouldn't use blocking bind */
 	if (conn->set.sasl_bind) {
 		context.authcid = conn->set.dn;

--- a/src/auth/db-ldap.h	Sat Jun 17 22:15:20 2006 +0300
+++ b/src/auth/db-ldap.h	Sat Jun 17 22:32:14 2006 +0300
@@ -20,6 +20,7 @@
 	bool auth_bind;
 	const char *auth_bind_userdn;
 
+	bool tls;
 	bool sasl_bind;
 	const char *sasl_mech;
 	const char *sasl_realm;