diff -r 265d8de473ea lib/TWiki/Contrib/LdapContrib.pm
--- a/lib/TWiki/Contrib/LdapContrib.pm	Fri Oct 03 21:16:53 2008 +0200
+++ b/lib/TWiki/Contrib/LdapContrib.pm	Sat Oct 04 00:49:14 2008 +0200
@@ -184,6 +184,9 @@ sub new {
     useSASL=>$TWiki::cfg{Ldap}{UseSASL} || 0,
     saslMechanism=>$TWiki::cfg{Ldap}{SASLMechanism} || 'PLAIN CRAM-MD4 EXTERNAL ANONYMOUS',
 
+    useTLS=>$TWiki::cfg{Ldap}{UseTLS} || 0,
+    TLSCAFile=>$TWiki::cfg{Ldap}{TLSCAFile} || '',
+
     secondaryPasswordManager=>$TWiki::cfg{Ldap}{SecondaryPasswordManager} || '',
     @_
   };
@@ -292,6 +295,12 @@ sub connect {
     return 0;
   }
 
+  if ($this->{useTLS} && $this->{TLSCAFile} != '') {
+	  $this->{ldap}->start_tls(
+  			verify => 'require',
+			cafile => $this->{TLSCAFile},
+			);
+  }
   # authenticated bind
   my $msg;
   if (defined($dn)) {
diff -r 265d8de473ea lib/TWiki/Contrib/LdapContrib/Config.spec
--- a/lib/TWiki/Contrib/LdapContrib/Config.spec	Fri Oct 03 21:16:53 2008 +0200
+++ b/lib/TWiki/Contrib/LdapContrib/Config.spec	Sat Oct 04 00:45:53 2008 +0200
@@ -46,6 +46,14 @@
 # List of SASL authentication mechanism to try; defaults to 'PLAIN CRAM-MD5
 # EXTERNAL ANONYMOUS'
 $TWiki::cfg{Ldap}{SASLMechanism} = 'PLAIN CRAM-MD5 EXTERNAL ANONYMOUS';
+
+# **BOOLEAN**
+# Use TLS
+$TWiki::cfg{Ldap}{UseTLS} = 0;
+
+# **STRING**
+# Path to CA file
+$TWiki::cfg{Ldap}{TLSCaFile} = '';
 
 # **BOOLEAN**
 # Enable/disable debug output to STDERR. This will end up in your web server's log files.