diff --git a/.env.template b/.env.template
index fca55ec3..cb62dc52 100644
--- a/.env.template
+++ b/.env.template
@@ -158,6 +158,7 @@ REVERSE_PROXY_AUTH=0
 #AUTH_LDAP_BIND_PASSWORD=
 #AUTH_LDAP_USER_SEARCH_BASE_DN=
 #AUTH_LDAP_TLS_CACERTFILE=
+#AUTH_LDAP_START_TLS=
 
 # Enables exporting PDF (see export docs)
 # Disabled by default, uncomment to enable
diff --git a/docs/features/authentication.md b/docs/features/authentication.md
index 4dd619e6..f218d662 100644
--- a/docs/features/authentication.md
+++ b/docs/features/authentication.md
@@ -96,6 +96,7 @@ AUTH_LDAP_USER_SEARCH_FILTER_STR=(uid=%(user)s)
 AUTH_LDAP_USER_ATTR_MAP={'first_name': 'givenName', 'last_name': 'sn', 'email': 'mail'}
 AUTH_LDAP_ALWAYS_UPDATE_USER=1
 AUTH_LDAP_CACHE_TIMEOUT=3600
+AUTH_LDAP_START_TLS=1
 AUTH_LDAP_TLS_CACERTFILE=/etc/ssl/certs/own-ca.pem
 ```
 
diff --git a/recipes/settings.py b/recipes/settings.py
index 8e97d05d..e89dbc6d 100644
--- a/recipes/settings.py
+++ b/recipes/settings.py
@@ -221,6 +221,7 @@ if LDAP_AUTH:
 
     AUTHENTICATION_BACKENDS.append('django_auth_ldap.backend.LDAPBackend')
     AUTH_LDAP_SERVER_URI = os.getenv('AUTH_LDAP_SERVER_URI')
+    AUTH_LDAP_START_TLS = bool(int(os.getenv('AUTH_LDAP_START_TLS', False)))
     AUTH_LDAP_BIND_DN = os.getenv('AUTH_LDAP_BIND_DN')
     AUTH_LDAP_BIND_PASSWORD = os.getenv('AUTH_LDAP_BIND_PASSWORD')
     AUTH_LDAP_USER_SEARCH = LDAPSearch(