diff --git a/lib/SimpleSAML/Auth/LDAP.php b/lib/SimpleSAML/Auth/LDAP.php
index 854bace4b6209d75f59b7f78c97fac1e2dcfb65f..d9216aa968d8c81876076e7e994b269e2c3e3cad 100644
--- a/lib/SimpleSAML/Auth/LDAP.php
+++ b/lib/SimpleSAML/Auth/LDAP.php
@@ -23,12 +23,17 @@ class SimpleSAML_Auth_LDAP {
 	/**
 	 * private constructor restricts instantiaton to getInstance()
 	 */
-	public function __construct($hostname) {
+	public function __construct($hostname,$enable_tls=true) {
 
 		$this->ldap = @ldap_connect($hostname);
 		if (empty($this->ldap)) 
 			throw new Exception('Could not connect to LDAP server. Please try again, and if the problem persists, please report the error.');
 
+        if (!preg_match("/ldaps:/i",$hostname) and $enable_tls) {
+            if (!ldap_start_tls($this->ldap)) {
+                throw new Exception('Could not force LDAP into TLS-session. Please verify certificates and configuration');
+            }
+        }
 		$this->setV3();
 
 	}
@@ -135,4 +140,4 @@ class SimpleSAML_Auth_LDAP {
 
 }
 
-?>
\ No newline at end of file
+?>
diff --git a/www/auth/login.php b/www/auth/login.php
index c0e7790ac1049ab996c60ec5de044e298b8bb868..e40347b45770bd64958080501ac7085aa07f2f48 100644
--- a/www/auth/login.php
+++ b/www/auth/login.php
@@ -61,7 +61,8 @@ if (isset($_POST['username'])) {
 		/*
 		 * Connecting to LDAP.
 		 */
-		$ldap = new SimpleSAML_Auth_LDAP($config->getValue('auth.ldap.hostname'));
+		$ldap = new SimpleSAML_Auth_LDAP($config->getValue('auth.ldap.hostname',
+                                         $config->getValue('auth.ldap.enable_tls')));
 	
 		/* Insert the LDAP username into the pattern configured in the
 		 * 'auth.ldap.dnpattern' option.