diff --git a/connector/ldap/ldap.go b/connector/ldap/ldap.go
index dd45dd10d63f64175e43bb5d81021a830eeca3e6..d2bce31b1eb4dcc54cde338e6069fb0c9c050203 100644
--- a/connector/ldap/ldap.go
+++ b/connector/ldap/ldap.go
@@ -61,6 +61,9 @@ type Config struct {
 	// Path to a trusted root certificate file.
 	RootCA string `json:"rootCA"`
 
+	// Base64 encoded PEM data containing root CAs.
+	RootCAData []byte `json:"rootCAData"`
+
 	// BindDN and BindPW for an application service account. The connector uses these
 	// credentials to search for users and groups.
 	BindDN string `json:"bindDN"`
@@ -167,6 +170,20 @@ func escapeFilter(s string) string {
 
 // Open returns an authentication strategy using LDAP.
 func (c *Config) Open() (connector.Connector, error) {
+	conn, err := c.OpenConnector()
+	if err != nil {
+		return nil, err
+	}
+	return connector.Connector(conn), nil
+}
+
+// OpenConnector is the same as Open but returns a type with all implemented connector interfaces.
+func (c *Config) OpenConnector() (interface {
+	connector.Connector
+	connector.PasswordConnector
+	connector.GroupsConnector
+}, error) {
+
 	requiredFields := []struct {
 		name string
 		val  string
@@ -196,10 +213,13 @@ func (c *Config) Open() (connector.Connector, error) {
 	}
 
 	tlsConfig := new(tls.Config)
-	if c.RootCA != "" {
-		data, err := ioutil.ReadFile(c.RootCA)
-		if err != nil {
-			return nil, fmt.Errorf("ldap: read ca file: %v", err)
+	if c.RootCA != "" || len(c.RootCAData) != 0 {
+		data := c.RootCAData
+		if len(data) == 0 {
+			var err error
+			if data, err = ioutil.ReadFile(c.RootCA); err != nil {
+				return nil, fmt.Errorf("ldap: read ca file: %v", err)
+			}
 		}
 		rootCAs := x509.NewCertPool()
 		if !rootCAs.AppendCertsFromPEM(data) {