diff --git a/AUTHORS b/AUTHORS
index ea31cba9cb37782274fe3c1f741e28362b1a6a7f..71a032b78c466e19ba0dc5d02cbc0b8f0120724b 100644
--- a/AUTHORS
+++ b/AUTHORS
@@ -24,3 +24,4 @@ Jamie McClelland -- cstream patches
 ale -- ldap cleanup
 Sami Haahtinen <ressu@ressukka.net>
 Matthew Palmer -- mysql enhancements
+romain.tartiere@healthgrid.org -- ldap fixes
diff --git a/ChangeLog b/ChangeLog
index 6ebf602df2d72d5e46bc867879907a2e603e2147..34589c24b45cd8883bf51c0c66502ddc1d77dea2 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -26,6 +26,8 @@ version 0.9.5 -- unreleased
 	   instead of on/off
 	 . Fixed problem that caused combination of slapcat and compress to not work
 	   together (Closes: Trac#29)
+	 . Applied patch from romain.tartiere@healthgrid.org to fix the SSL/TLS options
+	   to be correct, also set TLS to be the default over SSL (Closes: Trac#13)
 	maildir:
 	 . Added an examples file (Closes: Trac#23)
 	 . Applied patch from Anarcat that fixes the cp/mkdir calls to not use GNU 
diff --git a/handlers/ldap.helper.in b/handlers/ldap.helper.in
index 5ccbe7e860726e3ab822270d24b3cb332ab828ef..35b47a34e0b397f3638d9f8a5a1b78501402d778 100644
--- a/handlers/ldap.helper.in
+++ b/handlers/ldap.helper.in
@@ -7,13 +7,17 @@ while true; do
       checkBox "ldap action wizard" "check options (slapcat OR ldapsearch)" \
          "slapcat" "export ldif using slapcat" yes \
          "ldapsearch" "export ldif using ldapsearch" no \
-         "compress" "compress the ldif output files" yes
+         "compress" "compress the ldif output files" yes \
+         "ssl" "use SSL (deprecated)" no \
+         "tls" "use TLS extended operations (RFC2246, RFC2830)" yes
       status=$?
       compress="compress = no"
       method="method = <unset>"
       restart="restart = no"
       binddn=""
       passwordfile=""
+      ssl="ssl = no"
+      tls="tls = no"
       [ $status = 1 ] && return;
       result="$REPLY"
       for opt in $result; do
@@ -33,6 +37,8 @@ while true; do
               binddn="binddn = $REPLY"
               require_packages ldap-utils
               ;;
+            '"ssl"') ssl="ssl = yes";;
+            '"tls"') tls="tls = yes";;
          esac
       done
       get_next_filename $configdirectory/30.ldap
@@ -42,6 +48,8 @@ $compress
 $restart
 $binddn
 $passwordfile
+$ssl
+$tls
 # backupdir = /var/backups/ldap
 # conf = /etc/ldap/slapd.conf
 # databases = all
diff --git a/handlers/ldap.in b/handlers/ldap.in
index f6f87c77a46ce83eba218aa0d87c09cb29555e75..e5e21bad7a029bcf1fc96298f4095f436413e55e 100644
--- a/handlers/ldap.in
+++ b/handlers/ldap.in
@@ -13,9 +13,10 @@ getconf method ldapsearch
 getconf passwordfile
 getconf binddn
 getconf ldaphost
-getconf tls yes
+getconf ssl yes
+getconf tls no
 
-if [ $tls = 'yes' ]; then
+if [ $ssl = 'yes' ]; then
    URLBASE="ldaps"
 else
    URLBASE="ldap"
@@ -56,10 +57,14 @@ if [ "$ldif" == "yes" ]; then
       if [ "$method" == "slapcat" ]; then
          execstr="$SLAPCAT -f $conf -b $dbsuffix"
       else
+         LDAPARGS=""
+         if [ "$tls" == "yes" ]; then
+            LDAPARGS="-ZZ"
+         fi
          if [ -n "$ldaphost" ]; then
-            execstr="$LDAPSEARCH -H $URLBASE://$ldaphost -x -L -b ""$dbsuffix"" -D ""$binddn"" -y $passwordfile"
+            execstr="$LDAPSEARCH $LDAPARGS -H $URLBASE://$ldaphost -x -L -b ""$dbsuffix"" -D ""$binddn"" -y $passwordfile"
          else
-            execstr="$LDAPSEARCH -x -L -b ""$dbsuffix"" -D ""$binddn"" -y $passwordfile"
+            execstr="$LDAPSEARCH -H $URLBASE://$ldaphost -x -L -b ""$dbsuffix"" -D ""$binddn"" -y $passwordfile"
          fi
          [ -f "$passwordfile" ] || fatal "Password file $passwordfile not found. When method is set to ldapsearch, you must also specify a password file."
          debug "$execstr"