diff --git a/SOURCES/0001-ldap-setup-TLS-when-using-ldaps.patch b/SOURCES/0001-ldap-setup-TLS-when-using-ldaps.patch
new file mode 100644
index 0000000..ebfda2b
--- /dev/null
+++ b/SOURCES/0001-ldap-setup-TLS-when-using-ldaps.patch
@@ -0,0 +1,32 @@
+From e41de8344a09092ae4d973f495eef54a106a11ee Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Thu, 26 Nov 2020 17:24:10 +0100
+Subject: [PATCH] ldap: setup TLS when using ldaps
+
+Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1826964
+---
+ service/realm-ldap.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/service/realm-ldap.c b/service/realm-ldap.c
+index 2076d1e..e07a299 100644
+--- a/service/realm-ldap.c
++++ b/service/realm-ldap.c
+@@ -263,6 +263,14 @@ realm_ldap_connect_anonymous (GSocketAddress *address,
+ 			return NULL;
+ 		}
+ 
++		if (use_ldaps) {
++			rc = ldap_install_tls (ls->ldap);
++			if (rc != LDAP_SUCCESS) {
++				g_warning ("ldap_start_tls_s() failed: %s", ldap_err2string (rc));
++				return NULL;
++			}
++		}
++
+ 		break;
+ 
+ 	case G_SOCKET_PROTOCOL_UDP:
+-- 
+2.28.0
+
diff --git a/SOURCES/0001-service-make-sure-use_ldaps-is-not-only-set-for-auto.patch b/SOURCES/0001-service-make-sure-use_ldaps-is-not-only-set-for-auto.patch
new file mode 100644
index 0000000..fbbc2d4
--- /dev/null
+++ b/SOURCES/0001-service-make-sure-use_ldaps-is-not-only-set-for-auto.patch
@@ -0,0 +1,61 @@
+From ccf48aa7761065283483d667f3efaf33b5b2a728 Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Tue, 1 Dec 2020 14:12:33 +0100
+Subject: [PATCH 1/3] service: make sure use_ldaps is not only set for
+ automatic join
+
+The check if ldaps is requested or not was only called if an automatic
+join was enabled. With this patch it is checked in all cases.
+
+Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1826964
+---
+ service/realm-sssd-ad.c | 26 +++++++++++++-------------
+ 1 file changed, 13 insertions(+), 13 deletions(-)
+
+diff --git a/service/realm-sssd-ad.c b/service/realm-sssd-ad.c
+index 00a9093..ea5f28c 100644
+--- a/service/realm-sssd-ad.c
++++ b/service/realm-sssd-ad.c
+@@ -349,19 +349,6 @@ parse_join_options (JoinClosure *join,
+ 			return FALSE;
+ 		}
+ 
+-	/*
+-	 * Check if ldaps should be used and if membership software supports
+-	 * it.
+-	 */
+-	join->use_ldaps = realm_option_use_ldaps (options);
+-	if (join->use_ldaps &&
+-	           g_str_equal (software, REALM_DBUS_IDENTIFIER_SAMBA)) {
+-		realm_diagnostics_info (join->invocation,
+-		                        "Membership software %s does "
+-		                        "not support ldaps, trying "
+-		                        "without.", software);
+-	}
+-
+ 	/*
+ 	 * If we are enrolling with a user password, then we have to use samba,
+ 	 * adcli only supports admin passwords.
+@@ -393,6 +380,19 @@ parse_join_options (JoinClosure *join,
+ 
+ 	g_assert (software != NULL);
+ 
++	/*
++	 * Check if ldaps should be used and if membership software supports
++	 * it.
++	 */
++	join->use_ldaps = realm_option_use_ldaps (options);
++	if (join->use_ldaps &&
++	           g_str_equal (software, REALM_DBUS_IDENTIFIER_SAMBA)) {
++		realm_diagnostics_info (join->invocation,
++		                        "Membership software %s does "
++		                        "not support ldaps, trying "
++		                        "without.", software);
++	}
++
+ 	if (g_str_equal (software, REALM_DBUS_IDENTIFIER_ADCLI)) {
+ 		join->use_adcli = TRUE;
+ 		join->packages = ADCLI_PACKAGES;
+-- 
+2.28.0
+
diff --git a/SOURCES/0002-service-avoid-crash-if-LDAP-connection-fails.patch b/SOURCES/0002-service-avoid-crash-if-LDAP-connection-fails.patch
new file mode 100644
index 0000000..5ab6209
--- /dev/null
+++ b/SOURCES/0002-service-avoid-crash-if-LDAP-connection-fails.patch
@@ -0,0 +1,68 @@
+From d7089129b966df83f083cb56ee90f6b906971cb6 Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Tue, 1 Dec 2020 16:09:10 +0100
+Subject: [PATCH 2/3] service: avoid crash if LDAP connection fails
+
+There was always a chance for a crash if the connection to LDAP failed.
+In the ldaps case a failed connection became more likely e.g. due to
+failed certificate checks.
+
+This patch avoids the crash and returns an error to the client cleanly.
+
+Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1826964
+---
+ po/POTFILES.in                | 1 +
+ service/realm-disco-mscldap.c | 7 +++++++
+ service/realm-disco-rootdse.c | 6 ++++++
+ 3 files changed, 14 insertions(+)
+
+diff --git a/po/POTFILES.in b/po/POTFILES.in
+index 2de67c8..140ed4c 100644
+--- a/po/POTFILES.in
++++ b/po/POTFILES.in
+@@ -1,6 +1,7 @@
+ service/org.freedesktop.realmd.policy.in
+ service/realm-command.c
+ service/realm-disco-mscldap.c
++service/realm-disco-rootdse.c
+ service/realm-example.c
+ service/realm-ini-config.c
+ service/realm-invocation.c
+diff --git a/service/realm-disco-mscldap.c b/service/realm-disco-mscldap.c
+index 2504904..003bb66 100644
+--- a/service/realm-disco-mscldap.c
++++ b/service/realm-disco-mscldap.c
+@@ -349,6 +349,13 @@ realm_disco_mscldap_async (GSocketAddress *address,
+ 	}
+ 
+ 	clo->source = realm_ldap_connect_anonymous (address, protocol, FALSE, cancellable);
++	if (clo->source == NULL) {
++		g_task_return_new_error (task, G_IO_ERROR, G_IO_ERROR_NOT_CONNECTED,
++		                         _("Failed to setup LDAP connection"));
++		g_object_unref (task);
++		return;
++	}
++
+ 	g_source_set_callback (clo->source, (GSourceFunc)on_ldap_io,
+ 	                       g_object_ref (task), g_object_unref);
+ 	g_source_attach (clo->source, g_task_get_context (task));
+diff --git a/service/realm-disco-rootdse.c b/service/realm-disco-rootdse.c
+index 4ed19e5..d9b44b3 100644
+--- a/service/realm-disco-rootdse.c
++++ b/service/realm-disco-rootdse.c
+@@ -475,6 +475,12 @@ realm_disco_rootdse_async (GSocketAddress *address,
+ 
+ 	clo->source = realm_ldap_connect_anonymous (address, G_SOCKET_PROTOCOL_TCP,
+ 	                                            use_ldaps, cancellable);
++	if (clo->source == NULL) {
++		g_task_return_new_error (task, G_IO_ERROR, G_IO_ERROR_NOT_CONNECTED,
++		                         _("Failed to setup LDAP connection"));
++		g_object_unref (task);
++		return;
++	}
+ 	g_source_set_callback (clo->source, (GSourceFunc)on_ldap_io,
+ 	                       g_object_ref (task), g_object_unref);
+ 	g_source_attach (clo->source, g_task_get_context (task));
+-- 
+2.28.0
+
diff --git a/SOURCES/0003-service-make-TLS-check-more-releaxed.patch b/SOURCES/0003-service-make-TLS-check-more-releaxed.patch
new file mode 100644
index 0000000..292d0db
--- /dev/null
+++ b/SOURCES/0003-service-make-TLS-check-more-releaxed.patch
@@ -0,0 +1,89 @@
+From 3e4c42094c9660c710f544e31c49ff38180c7675 Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Wed, 2 Dec 2020 10:10:37 +0100
+Subject: [PATCH 3/3] service: make TLS check more releaxed
+
+Since realmd is most often the first application called to discover a
+domain we do not require a strict certificate check when using the ldaps
+port to connect to a domain controller.
+
+Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1826964
+---
+ doc/manual/realm.xml |  8 +++++++-
+ service/realm-ldap.c | 32 +++++++++++++++++++++++++++++++-
+ 2 files changed, 38 insertions(+), 2 deletions(-)
+
+diff --git a/doc/manual/realm.xml b/doc/manual/realm.xml
+index 01af62e..d7d8e5e 100644
+--- a/doc/manual/realm.xml
++++ b/doc/manual/realm.xml
+@@ -293,7 +293,13 @@ $ realm join --user=admin --computer-ou=OU=Special domain.example.com
+ 			which offers a comparable level of security than ldaps.
+ 			This option is only needed if the standard LDAP port
+ 			(389/tcp) is blocked by a firewall and only the LDAPS
+-			port (636/tcp) is available.</para>
++			port (636/tcp) is available. Given that and to lower
++			the initial effort to discover a remote domain
++			<command>realmd</command> does not require a strict
++			certificate check. If the validation of the LDAP server
++			certificate fails <command>realmd</command> will
++			continue to setup the encrypted connection to the LDAP
++			server.</para>
+ 
+ 			<para>If this option is set to
+ 			<parameter>yes</parameter> <command>realmd</command>
+diff --git a/service/realm-ldap.c b/service/realm-ldap.c
+index e07a299..bdfb96c 100644
+--- a/service/realm-ldap.c
++++ b/service/realm-ldap.c
+@@ -199,6 +199,9 @@ realm_ldap_connect_anonymous (GSocketAddress *address,
+ 	gint port;
+ 	gchar *url;
+ 	int rc;
++	int opt_rc;
++	int ldap_opt_val;
++	const char *errmsg = NULL;
+ 
+ 	g_return_val_if_fail (G_IS_INET_SOCKET_ADDRESS (address), NULL);
+ 
+@@ -264,9 +267,36 @@ realm_ldap_connect_anonymous (GSocketAddress *address,
+ 		}
+ 
+ 		if (use_ldaps) {
++			/* Since we currently use the IP address in the URI
++			 * the certificate check might fail because in most
++			 * cases the IP address won't be listed in the SANs of
++			 * the LDAP server certificate. We will try to
++			 * continue in this case and not fail. */
++			ldap_opt_val = LDAP_OPT_X_TLS_ALLOW;
++			rc = ldap_set_option (ls->ldap,
++			                       LDAP_OPT_X_TLS_REQUIRE_CERT,
++			                       &ldap_opt_val);
++			if (rc != LDAP_OPT_SUCCESS) {
++				g_debug ("Failed to disable certificate checking, trying without");
++			}
++
++			ldap_opt_val = 0;
++			rc = ldap_set_option (ls->ldap, LDAP_OPT_X_TLS_NEWCTX,
++			                       &ldap_opt_val);
++			if (rc != LDAP_OPT_SUCCESS) {
++				g_debug ("Failed to refresh LDAP context for TLS, trying without");
++			}
++
+ 			rc = ldap_install_tls (ls->ldap);
+ 			if (rc != LDAP_SUCCESS) {
+-				g_warning ("ldap_start_tls_s() failed: %s", ldap_err2string (rc));
++				opt_rc = ldap_get_option (ls->ldap,
++				                          LDAP_OPT_DIAGNOSTIC_MESSAGE,
++				                          (void *) &errmsg);
++				if (opt_rc != LDAP_SUCCESS) {
++					errmsg = "- no details -";
++				}
++				g_warning ("ldap_start_tls_s() failed [%s]: %s",
++				           ldap_err2string (rc), errmsg);
+ 				return NULL;
+ 			}
+ 		}
+-- 
+2.28.0
+
diff --git a/SPECS/realmd.spec b/SPECS/realmd.spec
index e97d86f..8c79df9 100644
--- a/SPECS/realmd.spec
+++ b/SPECS/realmd.spec
@@ -1,6 +1,6 @@
 Name:		realmd
 Version:	0.16.3
-Release:	20%{?dist}
+Release:	22%{?dist}
 Summary:	Kerberos realm enrollment service
 License:	LGPLv2+
 URL:		http://cgit.freedesktop.org/realmd/realmd/
@@ -59,6 +59,10 @@ Patch29:	0003-service-add-ldaps-support-when-using-adcli.patch
 Patch30:	0004-service-do-not-copy-option-values-to-avoid-memory-le.patch
 Patch31:	0005-tools-add-use-ldaps-option-for-discover-join-and-lea.patch
 Patch32:	0006-ldap-generate-proper-ldap-uri-for-IPv6-addresses.patch
+Patch33:	0001-ldap-setup-TLS-when-using-ldaps.patch
+Patch34:	0001-service-make-sure-use_ldaps-is-not-only-set-for-auto.patch
+Patch35:	0002-service-avoid-crash-if-LDAP-connection-fails.patch
+Patch36:	0003-service-make-TLS-check-more-releaxed.patch
 
 BuildRequires:	gcc
 BuildRequires:	automake
@@ -127,6 +131,14 @@ make install DESTDIR=%{buildroot}
 %doc ChangeLog
 
 %changelog
+* Thu Dec 03 2020 Sumit Bose <sbose@redhat.com> - 0.16.3-22
+- Add fixes LDAPS functionality
+  Resolves: rhbz#1826964
+
+* Thu Nov 26 2020 Sumit Bose <sbose@redhat.com> - 0.16.3-21
+- Add missing patch for LDAPS functionality
+  Resolves: rhbz#1826964
+
 * Thu Nov 05 2020 Sumit Bose <sbose@redhat.com> - 0.16.3-20
 - realmd should handle default_realm in krb5.conf
   Resolves: rhbz#1791016