diff --git a/site-cookbooks/kosmos-ejabberd/templates/ejabberd.yml.erb b/site-cookbooks/kosmos-ejabberd/templates/ejabberd.yml.erb
index 5b069d5..a8c37e9 100644
--- a/site-cookbooks/kosmos-ejabberd/templates/ejabberd.yml.erb
+++ b/site-cookbooks/kosmos-ejabberd/templates/ejabberd.yml.erb
@@ -25,6 +25,7 @@ host_config:
     ldap_rootdn: "cn=xmpp,ou=<%= host[:name] %>,<%= @ldap_base %>"
     ldap_password: "<%= host[:ldap_password] %>"
     ldap_encrypt: <%= @ldap_encryption_type %>
+    ldap_tls_verify: hard # when TLS is enabled, don't proceed if a cert is invalid
     ldap_base: "ou=<%= host[:name] %>,<%= @ldap_base %>"
     ldap_filter: "(nsRole=cn=xmpp_role,ou=<%= host[:name] %>,<%= @ldap_base %>)"
   <% end -%>