diff --git a/include/ldap.h b/include/ldap.h
index 8209fc6d2997523cff7b67469e6c7df30d34bad7..f8811c7ad3140a3f1e976f2baabd1f6240a5bc3a 100644
--- a/include/ldap.h
+++ b/include/ldap.h
@@ -134,6 +134,8 @@ LDAP_BEGIN_DECL
 #define LDAP_OPT_X_TLS_RANDOM_FILE	0x6009
 #define LDAP_OPT_X_TLS_SSL_CTX		0x600a
 #define LDAP_OPT_X_TLS_CRLCHECK		0x600b
+#define LDAP_OPT_X_TLS_CONNECT_CB	0x600c
+#define LDAP_OPT_X_TLS_CONNECT_ARG	0x600d
 
 #define LDAP_OPT_X_TLS_NEVER	0
 #define LDAP_OPT_X_TLS_HARD		1
diff --git a/include/ldap_pvt.h b/include/ldap_pvt.h
index dbaad7b97a4311ad34948d6e48a3adae2b513672..e95d8b3ae56bb85aff60edff25ce3e4256e054dc 100644
--- a/include/ldap_pvt.h
+++ b/include/ldap_pvt.h
@@ -241,6 +241,9 @@ LDAP_F (int) ldap_pvt_tls_init_default_ctx LDAP_P(( void ));
 
 typedef int LDAPDN_rewrite_dummy LDAP_P (( void *dn, unsigned flags ));
 
+typedef int (LDAP_TLS_CONNECT_CB) LDAP_P (( struct ldap *ld, void *ssl,
+	void *ctx, void *arg ));
+
 LDAP_F (int) ldap_pvt_tls_get_my_dn LDAP_P(( void *ctx, struct berval *dn,
 	LDAPDN_rewrite_dummy *func, unsigned flags ));
 LDAP_F (int) ldap_pvt_tls_get_peer_dn LDAP_P(( void *ctx, struct berval *dn,
diff --git a/libraries/libldap/ldap-int.h b/libraries/libldap/ldap-int.h
index 198ffb7a64fecd91b35e557e739a89b37c485234..4058d8ab7cefbc9e99f3401548abf4620243f9a4 100644
--- a/libraries/libldap/ldap-int.h
+++ b/libraries/libldap/ldap-int.h
@@ -170,6 +170,8 @@ struct ldapoptions {
 
 #ifdef HAVE_TLS
    	int			ldo_tls_mode;
+	LDAP_TLS_CONNECT_CB	*ldo_tls_connect_cb;
+	void*			ldo_tls_connect_arg;
 #endif
 
 	LDAPURLDesc *ldo_defludp;
diff --git a/libraries/libldap/tls.c b/libraries/libldap/tls.c
index 3251a8b31cce5c0d08118813e9e2123c2f044b9b..0672ce5952401c6b9f0dfd61385cf78ae9a6bf7a 100644
--- a/libraries/libldap/tls.c
+++ b/libraries/libldap/tls.c
@@ -713,6 +713,7 @@ ldap_int_tls_connect( LDAP *ld, LDAPConn *conn )
 		ber_sockbuf_ctrl( sb, LBER_SB_OPT_GET_SSL, (void *)&ssl );
 
 	} else {
+		struct ldapoptions *lo;
 		void *ctx = ld->ld_defconn
 			? ld->ld_defconn->lconn_tls_ctx : NULL;
 
@@ -728,8 +729,15 @@ ldap_int_tls_connect( LDAP *ld, LDAPConn *conn )
 			LBER_SBIOD_LEVEL_TRANSPORT, (void *)ssl );
 
 		if( ctx == NULL ) {
+			ctx = tls_def_ctx;
 			conn->lconn_tls_ctx = tls_def_ctx;
 		}
+		lo = &ld->ld_options;
+		if ( lo->ldo_tls_connect_cb )
+			lo->ldo_tls_connect_cb( ld, ssl, ctx, lo->ldo_tls_connect_arg );
+		lo = LDAP_INT_GLOBAL_OPT();   
+		if ( lo && lo->ldo_tls_connect_cb )
+			lo->ldo_tls_connect_cb( ld, ssl, ctx, lo->ldo_tls_connect_arg );
 	}
 
 	err = SSL_connect( ssl );
@@ -1201,6 +1209,12 @@ ldap_pvt_tls_get_option( LDAP *ld, int option, void *arg )
 		*(void **)arg = retval;
 		break;
 	}
+	case LDAP_OPT_X_TLS_CONNECT_CB:
+		*(LDAP_TLS_CONNECT_CB **)arg = lo->ldo_tls_connect_cb;
+		break;
+	case LDAP_OPT_X_TLS_CONNECT_ARG:
+		*(void **)arg = lo->ldo_tls_connect_arg;
+		break;
 	default:
 		return -1;
 	}
@@ -1253,6 +1267,12 @@ ldap_pvt_tls_set_option( LDAP *ld, int option, void *arg )
 			ld->ld_defconn->lconn_tls_ctx = arg;
 		}
 		return 0;
+	case LDAP_OPT_X_TLS_CONNECT_CB:
+		lo->ldo_tls_connect_cb = (LDAP_TLS_CONNECT_CB *)arg;
+		return 0;
+	case LDAP_OPT_X_TLS_CONNECT_ARG:
+		lo->ldo_tls_connect_arg = arg;
+		return 0;
 	}
 
 	if ( ld != NULL ) {