diff --git a/connector/ldap/ldap.go b/connector/ldap/ldap.go
index 8c9e480dc5ce1f14bec91ad0d07501d62f7a8d6a..ed5f5e932fbf4fd6b6ae05cb45611c438cff2ac1 100644
--- a/connector/ldap/ldap.go
+++ b/connector/ldap/ldap.go
@@ -69,7 +69,10 @@ type Config struct {
 
 	// Path to a trusted root certificate file.
 	RootCA string `json:"rootCA"`
-
+	// Path to a client cert file generated by rootCA.
+	ClientCert string `json:"clientCert"`
+	// Path to a client private key file generated by rootCA.
+	ClientKey string `json:"clientKey"`
 	// Base64 encoded PEM data containing root CAs.
 	RootCAData []byte `json:"rootCAData"`
 
@@ -104,7 +107,6 @@ type Config struct {
 		IDAttr    string `json:"idAttr"`    // Defaults to "uid"
 		EmailAttr string `json:"emailAttr"` // Defaults to "mail"
 		NameAttr  string `json:"nameAttr"`  // No default.
-
 	} `json:"userSearch"`
 
 	// Group search configuration.
@@ -226,6 +228,14 @@ func (c *Config) openConnector(logger logrus.FieldLogger) (*ldapConnector, error
 		}
 		tlsConfig.RootCAs = rootCAs
 	}
+
+	if c.ClientKey != "" && c.ClientCert != "" {
+		cert, err := tls.LoadX509KeyPair(c.ClientCert, c.ClientKey)
+		if err != nil {
+			return nil, fmt.Errorf("ldap: load client cert failed: %v", err)
+		}
+		tlsConfig.Certificates = append(tlsConfig.Certificates, cert)
+	}
 	userSearchScope, ok := parseScope(c.UserSearch.Scope)
 	if !ok {
 		return nil, fmt.Errorf("userSearch.Scope unknown value %q", c.UserSearch.Scope)