diff --git a/config-templates/module_perun.php b/config-templates/module_perun.php
index 7dcc8226..c1ef791b 100644
--- a/config-templates/module_perun.php
+++ b/config-templates/module_perun.php
@@ -32,6 +32,12 @@
      */
     //'ldap.username' => '_proxy-idp',
     //'ldap.password' => 'password'
+    
+    /**
+     * Whether to use startTLS on port 389. Defaults to false.
+     * SSL/TLS is always used for ldaps: regardless of this setting.
+     */
+    //'ldap.enable_tls' => true,
 
     /**
      * Perun group name to eduPersonEntitlement mapping. Mapping is according to the spec in
diff --git a/lib/AdapterLdap.php b/lib/AdapterLdap.php
index 3f888247..48f4e97f 100644
--- a/lib/AdapterLdap.php
+++ b/lib/AdapterLdap.php
@@ -30,6 +30,7 @@ class AdapterLdap extends Adapter
     const LDAP_USER = 'ldap.username';
     const LDAP_PASSWORD = 'ldap.password';
     const LDAP_BASE = 'ldap.base';
+    const LDAP_TLS = 'ldap.enable_tls';
     const PERUN_FACILITY_ID = 'perunFacilityId';
     const CN = 'cn';
     const DESCRIPTION = 'description';
@@ -57,8 +58,9 @@ public function __construct($configFileName = null)
         $ldapUser = $conf->getString(self::LDAP_USER, null);
         $ldapPassword = $conf->getString(self::LDAP_PASSWORD, null);
         $this->ldapBase = $conf->getString(self::LDAP_BASE);
+        $ldapEnableTLS = $conf->getBoolean(self::LDAP_TLS, false);
 
-        $this->connector = new LdapConnector($ldapHostname, $ldapUser, $ldapPassword);
+        $this->connector = new LdapConnector($ldapHostname, $ldapUser, $ldapPassword, $ldapEnableTLS);
         $this->fallbackAdapter = new AdapterRpc();
     }
 
diff --git a/lib/LdapConnector.php b/lib/LdapConnector.php
index 70316de8..a6f18e0b 100644
--- a/lib/LdapConnector.php
+++ b/lib/LdapConnector.php
@@ -31,18 +31,21 @@ class LdapConnector
     private $hostname;
     private $user;
     private $password;
+    private $enableTLS;
 
     /**
      * LdapConnector constructor.
      * @param $hostname
      * @param $user
      * @param $password
+     * @param $enableTLS
      */
-    public function __construct($hostname, $user, $password)
+    public function __construct($hostname, $user, $password, $enableTLS = false)
     {
         $this->hostname = $hostname;
         $this->user = $user;
         $this->password = $password;
+        $this->enableTLS = $enableTLS;
     }
 
     /**
@@ -108,6 +111,13 @@ protected function search($base, $filter, $attributes = null)
         }
 
         ldap_set_option($conn, LDAP_OPT_PROTOCOL_VERSION, 3);
+        
+        // Enable TLS, if needed
+        if ($this->enableTLS && stripos($this->hostname, "ldaps:") === false) {
+            if (!@ldap_start_tls($conn)) {
+                throw new Exception('Unable to force TLS on Perun LDAP');
+            }
+        }
 
         if (ldap_bind($conn, $this->user, $this->password) === false) {
             throw new Exception('Unable to bind user to the Perun LDAP, ' . $this->hostname);