diff --git a/auth.py b/auth.py
index 0490caa35f5cb243811fc506ee882abb8773ae83..be1d4b23bf26a9291762b571d8b3dfc1fe8ff46a 100644
--- a/auth.py
+++ b/auth.py
@@ -1,5 +1,6 @@
 import ldap
 import hmac, hashlib
+import ssl
 import ldap3
 from ldap3.utils.dn import parse_dn
 from datetime import datetime
@@ -99,8 +100,14 @@ class LdapManager:
             yield group.cn.value
 
 class ADManager:
-    def __init__(self, host, domain, user_dn, group_dn, port=636, use_ssl=True):
-        self.server = ldap3.Server(host, port=port, use_ssl=use_ssl)
+    def __init__(self, host, domain, user_dn, group_dn,
+        port=636, use_ssl=True, ca_cert=None):
+        tls_config = ldap3.Tls(validate=ssl.CERT_REQUIRED)
+        if ca_cert is not None:
+            tls_config = ldap3.Tls(validate=ssl.CERT_REQUIRED,
+                ca_certs_file=ca_cert)
+        self.server = ldap3.Server(host, port=port, use_ssl=use_ssl,
+            tls=tls_config)
         self.domain = domain
         self.user_dn = user_dn
         self.group_dn = group_dn
diff --git a/config.py.example b/config.py.example
index e0f82065b13da35b7b632405ca1c7f07171965ac..fbb680399656338b2a03321fe8320bfe19f2f73f 100644
--- a/config.py.example
+++ b/config.py.example
@@ -78,7 +78,8 @@ AUTH_BACKENDS = [
         host="ad.example.com",
         domain="EXAMPLE",
         user_dn="cn=users,dc=example,dc=com",
-        group_dn="dc=example,dc=com")
+        group_dn="dc=example,dc=com",
+        ca_cert="/etc/ssl/certs/example-ca.pem")
 ]
 
 # lines of error description