diff --git a/config/vufind/config.ini b/config/vufind/config.ini
index 53cd47677c1023b50e487e134db78d4aa8481ae6..e6fa1aac95f7d9a98b156bc1b9ec0da19b8733ab 100644
--- a/config/vufind/config.ini
+++ b/config/vufind/config.ini
@@ -460,6 +460,10 @@ database          = mysql://root@localhost/vufind
 ; LDAP with TLS.
 ;host            = ldap.myuniversity.edu
 ;port            = 389       ; LDAPS usually uses port 636 instead
+; By default, when you use regular LDAP (not LDAPS), VuFind uses TLS security.
+; You can set disable_tls to true to bypass TLS if your server does not support
+; it. Note that this setting is ignored if you use ldaps:// in the host setting.
+;disable_tls     = false
 ;basedn          = "o=myuniversity.edu"
 ;username        = uid
 ; separator string for mapping multi-valued ldap-fields to a user attribute
diff --git a/module/VuFind/src/VuFind/Auth/LDAP.php b/module/VuFind/src/VuFind/Auth/LDAP.php
index d40cbb6557fd0407e925d3b4830e09f1ecba6793..b1fdf5644cd56a0468f680a802b3c5e188293a37 100644
--- a/module/VuFind/src/VuFind/Auth/LDAP.php
+++ b/module/VuFind/src/VuFind/Auth/LDAP.php
@@ -158,9 +158,11 @@ class LDAP extends AbstractBase
         }
 
         // if the host parameter is not specified as ldaps://
-        // then we need to initiate TLS so we
+        // then (unless TLS is disabled) we need to initiate TLS so we
         // can have a secure connection over the standard LDAP port.
-        if (stripos($host, 'ldaps://') === false) {
+        $disableTls = isset($this->config->LDAP->disable_tls)
+            && $this->config->LDAP->disable_tls;
+        if (stripos($host, 'ldaps://') === false && !$disableTls) {
             $this->debug('Starting TLS');
             if (!@ldap_start_tls($connection)) {
                 $this->debug('TLS failed');