@@ -, +, @@ 
---
 bin/named/ldapdb.c | 18 +++++++++++++++---
 1 file changed, 15 insertions(+), 3 deletions(-)
--- a/bin/named/ldapdb.c	
+++ a/bin/named/ldapdb.c	
@@ -282,9 +282,21 @@ ldapdb_bind(const char *zone, struct ldapdb_data *data, LDAP **ldp) {
 	/* -- Start TLS. -- */
 #ifdef LDAPDB_TLS
 	if (data->tls) {
-	  ldap_start_tls_s(*ldp, NULL, NULL);
-	  isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_CONTROL, ISC_LOG_DEBUG(2),
-					"LDAP sdb zone '%s': ldapdb_bind(): Started TLS", zone);
+	  if ((rc = ldap_start_tls_s(*ldp, NULL, NULL)) == LDAP_SUCCESS) {
+		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_CONTROL, ISC_LOG_DEBUG(2),
+					  "LDAP sdb zone '%s': ldapdb_bind(): Started TLS", zone);
+	  } else {
+		char *msg = NULL;
+		ldap_get_option(*ldp, LDAP_OPT_DIAGNOSTIC_MESSAGE, (void *)&msg);
+		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_CONTROL, ISC_LOG_ERROR,
+					  "LDAP sdb zone '%s': ldapdb_bind(): ldap_start_tls_s() failed: %s",
+					  zone, msg);
+		ldap_memfree(msg);
+
+		ldap_unbind_ext(*ldp, NULL, NULL);
+		*ldp = NULL;
+		goto try_bind_again;
+	  }
 	}
 #endif
 	
--