--- db-ldap.h.orig	2005-09-20 16:00:50.000000000 +0200
+++ db-ldap.h	2005-09-20 16:00:50.000000000 +0200
@@ -17,6 +17,7 @@
 	const char *deref;
 	const char *scope;
 	const char *base;
+	unsigned int start_tls;
 	unsigned int ldap_version;
 
 	const char *user_attrs;
--- db-ldap.c.orig	2005-09-20 16:00:50.000000000 +0200
+++ db-ldap.c	2005-09-20 16:00:50.000000000 +0200
@@ -36,6 +36,7 @@
 	DEF(SET_STR, deref),
 	DEF(SET_STR, scope),
 	DEF(SET_STR, base),
+	DEF(SET_INT, start_tls),
 	DEF(SET_INT, ldap_version),
 	DEF(SET_STR, user_attrs),
 	DEF(SET_STR, user_filter),
@@ -54,6 +55,7 @@
 	MEMBER(scope) "subtree",
 	MEMBER(base) NULL,
 	MEMBER(ldap_version) 2,
+	MEMBER(start_tls) 0,
 	MEMBER(user_attrs) NULL,
 	MEMBER(user_filter) NULL,
 	MEMBER(pass_attrs) NULL,
@@ -205,6 +207,31 @@
 		}
 	}
 
+	/* TLS support, from Eric's LPK */
+	if (conn->set.start_tls) {
+		if (ldap_start_tls_s(conn->ld, NULL, NULL ) != LDAP_SUCCESS) {
+			/* failed then reinit the initial connect */
+			ldap_perror(conn->ld, 
+				    "ldap_connect: (TLS) ldap_start_tls()");
+			if (conn->set.start_tls == 1)
+				return FALSE;
+			
+			conn->ld = ldap_init(conn->set.hosts, LDAP_PORT);
+			if (!conn->ld) { 
+		                ldap_perror(conn->ld, "ldap_init()");
+		                return FALSE;
+			}
+			
+			if ( ldap_set_option(conn->ld, 
+					     LDAP_OPT_PROTOCOL_VERSION,
+					     &conn->set.ldap_version) != 
+			     LDAP_OPT_SUCCESS) {
+				ldap_perror(conn->ld, "ldap_set_option()");
+				return FALSE;
+			}
+		} /* ldap_start_tls */
+	} /* TLS */
+
 	/* NOTE: we use blocking connect, we couldn't do anything anyway
 	   until it's done. */
 	ret = ldap_simple_bind_s(conn->ld, conn->set.dn, conn->set.dnpass);