diff --git a/conf/default.conf.php b/conf/default.conf.php
index 30fb4a15da..465e402492 100644
--- a/conf/default.conf.php
+++ b/conf/default.conf.php
@@ -712,6 +712,9 @@ return array(
   // The password of the LDAP anonymous user.
   'ldap.anonymous-user-password' => null,
 
+  // Whether to use STARTTLS
+  'ldap.start-tls' => false,
+
 
 // -- Disqus OAuth ---------------------------------------------------------- //
 
diff --git a/src/applications/auth/ldap/PhabricatorLDAPProvider.php b/src/applications/auth/ldap/PhabricatorLDAPProvider.php
index f0e0277806..45f958d382 100644
--- a/src/applications/auth/ldap/PhabricatorLDAPProvider.php
+++ b/src/applications/auth/ldap/PhabricatorLDAPProvider.php
@@ -50,6 +50,10 @@ final class PhabricatorLDAPProvider {
     return PhabricatorEnv::getEnvConfig('ldap.referrals');
   }
 
+  public function getLDAPStartTLS() {
+    return PhabricatorEnv::getEnvConfig('ldap.start-tls');
+  }
+
   public function bindAnonymousUserEnabled() {
     return strlen(trim($this->getAnonymousUserName())) > 0;
   }
@@ -114,6 +118,13 @@ final class PhabricatorLDAPProvider {
         $this->getLDAPVersion());
       ldap_set_option($this->connection, LDAP_OPT_REFERRALS,
        $this->getLDAPReferrals());
+
+      if ($this->getLDAPStartTLS()) {
+        if (!ldap_start_tls($this->getConnection())) {
+          throw new Exception('Unabled to initialize STARTTLS for LDAP host at '.
+            $this->getHostname().':'.$this->getPort());
+        }
+      }
     }
 
     return $this->connection;