--- a/src/lookups/ldap.c	2012-05-31 01:40:15.000000000 +0100
+++ b/src/lookups/ldap.c	2013-09-15 18:39:36.849574916 +0100
@@ -82,6 +82,7 @@
   BOOL  bound;
   int   port;
   LDAP *ld;
+  BOOL is_start_tls_called;
 } LDAP_CONNECTION;
 
 static LDAP_CONNECTION *ldap_connections = NULL;
@@ -408,24 +409,16 @@
   DEBUG(D_lookup) debug_printf("initialized for LDAP (v%d) server %s%s\n",
     eldap_version, host, porttext);
 
-  /* If not using ldapi and TLS is available, set appropriate TLS options: hard
-  for "ldaps" and soft otherwise. */
+  /* For older ldap libraries, setting ldaps:/// connections requires using
+  LDAP_OPT_X_TLS_HARD as the value for the LDAP_OPT_X_TLS option */
 
   #ifdef LDAP_OPT_X_TLS
-  if (!ldapi)
+  if (strncmp(ludp->lud_scheme, "ldaps", 5) == 0)
     {
     int tls_option;
-    if (strncmp(ludp->lud_scheme, "ldaps", 5) == 0)
-      {
       tls_option = LDAP_OPT_X_TLS_HARD;
       DEBUG(D_lookup) debug_printf("LDAP_OPT_X_TLS_HARD set\n");
-      }
-    else
-      {
-      tls_option = LDAP_OPT_X_TLS_TRY;
-      DEBUG(D_lookup) debug_printf("LDAP_OPT_X_TLS_TRY set\n");
-      }
-    ldap_set_option(ld, LDAP_OPT_X_TLS, (void *)&tls_option);
+      ldap_set_option(ld, LDAP_OPT_X_TLS, (void *)&tls_option);
     }
   #endif  /* LDAP_OPT_X_TLS */
 
@@ -456,16 +449,16 @@
   #ifdef LDAP_OPT_X_TLS_CIPHER_SUITE
   if (eldap_cipher_suite != NULL)
     {
-    ldap_set_option(ld, LDAP_OPT_X_TLS_CIPHER_SUITE, eldap_cipher_suite);
+    ldap_set_option(NULL, LDAP_OPT_X_TLS_CIPHER_SUITE, eldap_cipher_suite);
     }
   #endif
   #ifdef LDAP_OPT_X_TLS_REQUIRE_CERT
   if (eldap_require_cert != NULL)
     {
-    int cert_option = LDAP_OPT_X_TLS_NEVER;
-    if (Ustrcmp(eldap_require_cert, "hard") == 0)
+    int cert_option = LDAP_OPT_X_TLS_HARD;
+    if (Ustrcmp(eldap_require_cert, "never") == 0)
       {
-      cert_option = LDAP_OPT_X_TLS_HARD;
+      cert_option = LDAP_OPT_X_TLS_NEVER;
       }
     else if (Ustrcmp(eldap_require_cert, "demand") == 0)
       {
@@ -479,7 +472,8 @@
       {
       cert_option = LDAP_OPT_X_TLS_TRY;
       }
-    ldap_set_option(ld, LDAP_OPT_X_TLS_REQUIRE_CERT, &cert_option);
+    debug_printf("Server certificate validation level set to LDAP_OPT_X_TLS_REQUIRE_CERT = %d\n", cert_option);
+    ldap_set_option(NULL, LDAP_OPT_X_TLS_REQUIRE_CERT, &cert_option);
     }
   #endif
 
@@ -493,6 +487,7 @@
   lcp->port = port;
   lcp->ld = ld;
   lcp->next = ldap_connections;
+  lcp->is_start_tls_called = FALSE;
   ldap_connections = lcp;
   }
 
@@ -520,8 +515,10 @@
   DEBUG(D_lookup) debug_printf("%sbinding with user=%s password=%s\n",
     (lcp->bound)? "re-" : "", user, password);
 #ifdef LDAP_OPT_X_TLS
-  /* The Oracle LDAP libraries (LDAP_LIB_TYPE=SOLARIS) don't support this: */
-  if (eldap_start_tls)
+  /* Try TLS negotiation for both ldap:/// or ldapi:/// (at least openldap can do it)
+  If URL is ldaps:///, TLS doesn't make any sense skip it.
+  The Oracle LDAP libraries (LDAP_LIB_TYPE=SOLARIS) don't support this: */
+  if (eldap_start_tls && !lcp->is_start_tls_called && (strncmp(ludp->lud_scheme, "ldaps", 5) != 0))
     {
         if ( (rc = ldap_start_tls_s(lcp->ld, NULL, NULL)) != LDAP_SUCCESS) {
             *errmsg = string_sprintf("failed to initiate TLS processing on an "
@@ -529,6 +526,7 @@
                 " %s", host, porttext, rc, ldap_err2string(rc));
             goto RETURN_ERROR;
         }
+        lcp->is_start_tls_called = TRUE;
     }
 #endif
   if ((msgid = ldap_bind(lcp->ld, CS user, CS password, LDAP_AUTH_SIMPLE))