diff --git a/roles/openLdapClient/defaults/main.yml b/roles/openLdapClient/defaults/main.yml
index 60c8a48880f329133624b9e8f04aa00307aef797..0b046e3664c209232ff4e716bd63a27e8eee8cab 100644
--- a/roles/openLdapClient/defaults/main.yml
+++ b/roles/openLdapClient/defaults/main.yml
@@ -8,5 +8,7 @@ ldapUserHomeDirectory: "unixHomeDirectory"
 ldapUserPricipal: "userPrincipalName"
 ldapGroupBase: "ou=groups,dc=monash,dc=edu,dc=au"
 tlsCaCertDirectory: "/etc/openldap/certs"
-tlsCaCertFile: "ca.pem"
+tlsCaCertFile: "/etc/openldap/certs/ca.pem"
 ldapCaCertFileSource: "/etc/openldap"
+cacertFile: "ca.pem"
+
diff --git a/roles/openLdapClient/templates/sssd.j2 b/roles/openLdapClient/templates/sssd.j2
index ce51b423dd2be6fdf79ec5a270a53181d02e49bb..7db3cc51ef4f360b7462ca27872556f322d8022f 100644
--- a/roles/openLdapClient/templates/sssd.j2
+++ b/roles/openLdapClient/templates/sssd.j2
@@ -27,7 +27,9 @@ access_provider = ldap
 
 ldap_uri = {{ ldapUri }} 
 ldap_id_use_start_tls = True
-ldap_tls_reqcert = demand 
+ldap_tls_reqcert = allow 
+ldap_tls_cacertdir = {{ tlsCaCertDirectory }} 
+ldap_tls_cacert = {{ cacertFile }}
 ldap_default_bind_dn = {{ ldapDn }} 
 ldap_default_authtok_type = password
 ldap_default_authtok = {{ ldapPassword }}