diff --git a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/LDAPConnectionService.java b/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/LDAPConnectionService.java
index c0c1d6bab..0da077a20 100644
--- a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/LDAPConnectionService.java
+++ b/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/LDAPConnectionService.java
@@ -195,6 +195,15 @@ public class LDAPConnectionService {
         if (LdapUrl.LDAPS_SCHEME.equals(ldapUrl.getScheme()))
             encryptionMethod = EncryptionMethod.SSL;
 
+        // Use STARTTLS for otherwise unencrypted ldap:// URLs if the main
+        // LDAP connection requires STARTTLS
+        else if (confService.getEncryptionMethod() == EncryptionMethod.STARTTLS) {
+            logger.debug("Using STARTTLS for LDAP URL \"{}\" as the main LDAP "
+                    + "connection described in guacamole.properties is "
+                    + "configured to use STARTTLS.", url);
+            encryptionMethod = EncryptionMethod.STARTTLS;
+        }
+
         // If no post is specified within the URL, use the default port
         // dictated by the encryption method
         int port = ldapUrl.getPort();