diff --git a/group_vars/all b/group_vars/all
index 9c14ab7..cc35b5c 100644
--- a/group_vars/all
+++ b/group_vars/all
@@ -1,5 +1,6 @@
 ---
 
+ldap_ca: /etc/ssl/BKCA.crt
 ldap_uri: ldaps://ldap.binary.kitchen/
 ldap_host: ldap.binary.kitchen
 ldap_base: dc=binary-kitchen,dc=de
diff --git a/roles/ldap-client/templates/nslcd.conf.j2 b/roles/ldap-client/templates/nslcd.conf.j2
index 6a5b483..01a0948 100644
--- a/roles/ldap-client/templates/nslcd.conf.j2
+++ b/roles/ldap-client/templates/nslcd.conf.j2
@@ -32,4 +32,4 @@ base shadow {{ nslcd_base_shadow }}
 
 # SSL options
 tls_reqcert demand
-tls_cacertfile /etc/ssl/BKCA.crt
+tls_cacertfile {{ ldap_ca }}
diff --git a/roles/mail/templates/dovecot/dovecot-ldap.conf.ext.j2 b/roles/mail/templates/dovecot/dovecot-ldap.conf.ext.j2
index 9aedae6..abcb40e 100644
--- a/roles/mail/templates/dovecot/dovecot-ldap.conf.ext.j2
+++ b/roles/mail/templates/dovecot/dovecot-ldap.conf.ext.j2
@@ -45,14 +45,14 @@ dnpass = {{ ldap_bindpw }}
 # Use TLS to connect to the LDAP server.
 tls = yes
 # TLS options, currently supported only with OpenLDAP:
-#tls_ca_cert_file = TODO
+tls_ca_cert_file = {{ ldap_ca }}
 #tls_ca_cert_dir =
 #tls_cipher_suite =
 # TLS cert/key is used only if LDAP server requires a client certificate.
 #tls_cert_file =
 #tls_key_file =
 # Valid values: never, hard, demand, allow, try
-#tls_require_cert = TODO
+tls_require_cert = demand
 
 # Use the given ldaprc path.
 #ldaprc_path =