--- courier-imap-3.0.2/authlib/authldaplib.c	2004-01-19 21:34:09.000000000 +0200
+++ courier-imap-3.0.2-fixed/authlib/authldaplib.c	2004-06-25 01:13:22.590602787 +0200
@@ -676,31 +676,8 @@
 */
 static int enable_tls_on(LDAP *conn) {
 #if HAVE_LDAP_TLS
-	int version;
 	int ldrc;
 
-	if (ldaperror(ldrc=ldap_get_option (conn,
-				    LDAP_OPT_PROTOCOL_VERSION,
-				    &version))
-	    != LDAP_SUCCESS)
-	{
-		const char *s=ldap_err2string(ldrc);
-
-#if	HAVE_SYSLOG_H
-		syslog(LOG_DAEMON|LOG_CRIT,
-		       "ldap_get_option failed: %s", s);
-#endif
-		return (-1);
-	}
-
-	if (version < LDAP_VERSION3)
-	{
-		version = LDAP_VERSION3;
-		(void)ldap_set_option (conn,
-				       LDAP_OPT_PROTOCOL_VERSION,
-				       &version);
-	}
-
 	if (ldaperror(ldrc=ldap_start_tls_s(conn, NULL, NULL))
 	    != LDAP_SUCCESS)
 	{
@@ -754,8 +731,9 @@
 
 static int ldapopen()
 {
-int     ldrc;
-
+	int     ldrc;
+	int     version;
+	
 	if (my_ldap_fp)	return (0);
 
 	if (authldap_read_config(&my_ldap) == 0)
@@ -767,7 +745,36 @@
 	{
 		return (1);
 	}
+	
+	// attempt to upgrade the protocol version as high as we can.
+	// We might want to add a config option like LDAP_PROTO_VERSION
+	// and try to set to that if set, or else run this.
+	if (ldaperror(ldrc=ldap_get_option (my_ldap_fp,
+				    LDAP_OPT_PROTOCOL_VERSION,
+				    &version))
+	    != LDAP_SUCCESS)
+	{
+		const char *s=ldap_err2string(ldrc);
 
+#if	HAVE_SYSLOG_H
+		syslog(LOG_DAEMON|LOG_CRIT,
+		       "ldap_get_option failed: %s", s);
+#endif
+	}
+	else
+	{
+		int tmpversion = LDAP_VERSION_MAX;
+		while(tmpversion > version)
+		{
+			if(ldap_set_option (my_ldap_fp,
+					       LDAP_OPT_PROTOCOL_VERSION,
+					       &tmpversion) == LDAP_SUCCESS)
+				break;
+			tmpversion--;
+		}
+		version = tmpversion;
+	}
+	
 #if HAVE_LDAP_TLS
 	if (my_ldap.tls && enable_tls_on(my_ldap_fp))
 	{