Description: -x not documented, no way to set TLS from config file 
Author: Alexander Zangerl <az@debian.org>
Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=312601

--- a/doc/man/cpu-ldap.8
+++ b/doc/man/cpu-ldap.8
@@ -100,6 +100,8 @@
 can be omitted by specifying the password in the configuration file with the
 option BIND_PASS. If a value is specified at the command line, the switch
 should have no whitespace following it.
+.IP "-x, --tls"
+Try to starttls before talking with the ldap server.
 
 .IP "The following options can be used for populating LDAP attributes."
 
--- a/src/plugins/ldap/commandline.c
+++ b/src/plugins/ldap/commandline.c
@@ -512,6 +512,13 @@
 
   /* end of required fields */
 
+  /* enable tls if not on but don't disable it */
+  if (globalLdap->usetls == 0
+          && NULL != cfg_get_str("LDAP","USE_TLS"))
+    {
+      globalLdap->usetls = cfg_get_int("LDAP","USE_TLS");
+    }
+
   if (operation == USERADD && globalLdap->password_file != NULL)
     {
       struct cpass *p = NULL;
--- a/doc/cpu.conf
+++ b/doc/cpu.conf
@@ -7,6 +7,7 @@
 [LDAP]
 #LDAP_HOST	= 127.0.0.1
 #LDAP_PORT	= 389
+#USE_TLS	= 1
 # Can also use LDAP_URI = ldaps://localhost:389 for TLS support
 LDAP_URI	= ldap://127.0.0.1
 BIND_DN		= cn=Manager,dc=mydomain,dc=com