diff --git a/conf/app.conf.example b/conf/app.conf.example
index 109a7a8b..06711472 100644
--- a/conf/app.conf.example
+++ b/conf/app.conf.example
@@ -128,6 +128,8 @@ baidumapkey=
 ################Active Directory/LDAP################
 #是否启用ldap
 ldap_enable=false
+#ldap协议(ldap/ldaps)
+ldap_scheme=ldap
 #ldap主机名
 ldap_host=ad.example.com
 #ldap端口
diff --git a/models/Member.go b/models/Member.go
index a570578e..481965d5 100644
--- a/models/Member.go
+++ b/models/Member.go
@@ -3,11 +3,13 @@ package models
 
 import (
 	"crypto/md5"
+	"crypto/tls"
 	"encoding/hex"
 	"encoding/json"
 	"errors"
 	"fmt"
 	"io/ioutil"
+	"net"
 	"net/http"
 	"net/url"
 	"regexp"
@@ -27,6 +29,8 @@ import (
 	"github.com/mindoc-org/mindoc/utils"
 )
 
+var LdapDefaultTimeout = 8 * time.Second
+
 type Member struct {
 	MemberId int    `orm:"pk;auto;unique;column(member_id)" json:"member_id"`
 	Account  string `orm:"size(100);unique;column(account);description(登录名)" json:"account"`
@@ -124,8 +128,18 @@ func (m *Member) ldapLogin(account string, password string) (*Member, error) {
 		return m, ErrMemberAuthMethodInvalid
 	}
 	var err error
-	ldaphost, _ := web.AppConfig.String("ldap_host")
-	lc, err := ldap.DialURL(fmt.Sprintf("ldap://%s:%d", ldaphost, web.AppConfig.DefaultInt("ldap_port", 3268)))
+	var ldapOpt ldap.DialOpt
+	ldap_scheme := web.AppConfig.DefaultString("ldap_scheme", "ldap")
+	dialer := net.Dialer{Timeout: LdapDefaultTimeout}
+	if ldap_scheme == "ldaps" {
+		ldapOpt = ldap.DialWithTLSDialer(&tls.Config{InsecureSkipVerify: true}, &dialer)
+	} else {
+		ldapOpt = ldap.DialWithDialer(&dialer)
+	}
+	ldap_host, _ := web.AppConfig.String("ldap_host")
+	ldap_port := web.AppConfig.DefaultInt("ldap_port", 3268)
+	ldap_url := fmt.Sprintf("%s://%s:%d", ldap_scheme, ldap_host, ldap_port)
+	lc, err := ldap.DialURL(ldap_url, ldapOpt)
 	if err != nil {
 		logs.Error("绑定 LDAP 用户失败 ->", err)
 		return m, ErrLDAPConnect