diff --git a/doc/setup.texi b/doc/setup.texi
index cc8014ee4..2516e684a 100644
--- a/doc/setup.texi
+++ b/doc/setup.texi
@@ -1126,6 +1126,7 @@ enter the path to the kadmin acl file:
 	hdb-ldap-structural-object = inetOrgPerson
 	hdb-ldap-url = ldapi:/// (default), ldap://hostname or ldaps://hostname
 	hdb-ldap-secret-file = /path/to/file/containing/ldap/credentials
+	hdb-ldap-start-tls = false
 
         database = @{
                 dbname = ldap:ou=KerberosPrincipals,dc=example,dc=com
diff --git a/lib/hdb/hdb-ldap.c b/lib/hdb/hdb-ldap.c
index c0dfe84a2..d748e0760 100644
--- a/lib/hdb/hdb-ldap.c
+++ b/lib/hdb/hdb-ldap.c
@@ -60,6 +60,7 @@ struct hdbldapdb {
     char *h_url;
     char *h_bind_dn;
     char *h_bind_password;
+    krb5_boolean h_start_tls;
     char *h_createbase;
 };
 
@@ -1590,6 +1591,17 @@ LDAP__connect(krb5_context context, HDB * db)
 	return HDB_ERR_BADVERSION;
     }
 
+    if (((struct hdbldapdb *)db->hdb_db)->h_start_tls) {
+	rc = ldap_start_tls_s(HDB2LDAP(db), NULL, NULL);
+
+	if (rc != LDAP_SUCCESS) {
+	    krb5_set_error_message(context, HDB_ERR_BADVERSION,
+				   "ldap_start_tls_s: %s", ldap_err2string(rc));
+	    LDAP_close(context, db);
+	    return HDB_ERR_BADVERSION;
+	}
+    }
+
     rc = ldap_sasl_bind_s(HDB2LDAP(db), bind_dn, sasl_method, &bv,
 			  NULL, NULL, NULL);
     if (rc != LDAP_SUCCESS) {
@@ -1913,6 +1925,10 @@ hdb_ldap_common(krb5_context context,
 	krb5_config_file_free(context, tmp);
     }
 
+    h->h_start_tls =
+	krb5_config_get_bool_default(context, NULL, FALSE,
+				     "kdc", "hdb-ldap-start-tls", NULL);
+
     create_base = krb5_config_get_string(context, NULL, "kdc",
 					 "hdb-ldap-create-base", NULL);
     if (create_base == NULL)