This option is used to define whether or not Samba should use SSL when connecting to the ldap server This is NOT related to Samba's previous SSL support which was enabled by specifying the --with-ssl option to the configure script. LDAP connections should be secured where possible. This may be done setting either this parameter to Start_tls or by specifying ldaps:// in the URL argument of . The can be set to one of two values: Off = Never use SSL when querying the directory. start tls = Use the LDAPv3 StartTLS extended operation (RFC2830) for communicating with the directory server. Please note that this parameter does only affect rpc methods. To enable the LDAPv3 StartTLS extended operation (RFC2830) for ads, set yes and yes. See smb.conf5 for more information on . start tls