diff --git a/packages/xo-server-auth-ldap/package.json b/packages/xo-server-auth-ldap/package.json
index c16bd9c24..ca9f17e0c 100644
--- a/packages/xo-server-auth-ldap/package.json
+++ b/packages/xo-server-auth-ldap/package.json
@@ -27,6 +27,7 @@
     "babel-runtime": "^6.3.19",
     "bluebird": "^3.1.1",
     "event-to-promise": "^0.6.0",
+    "fs-promise": "^0.3.1",
     "ldapjs": "^1.0.0"
   },
   "devDependencies": {
diff --git a/packages/xo-server-auth-ldap/src/index.js b/packages/xo-server-auth-ldap/src/index.js
index f2c26d6d4..3e709c5ce 100644
--- a/packages/xo-server-auth-ldap/src/index.js
+++ b/packages/xo-server-auth-ldap/src/index.js
@@ -1,10 +1,10 @@
 /* eslint no-throw-literal: 0 */
 
-import {promisify} from 'bluebird'
 import eventToPromise from 'event-to-promise'
-import {createClient} from 'ldapjs'
-import {escape} from 'ldapjs/lib/filters/escape'
-import {readFileSync} from 'fs'
+import { createClient } from 'ldapjs'
+import { escape } from 'ldapjs/lib/filters/escape'
+import { promisify } from 'bluebird'
+import { readFile } from 'fs-promise'
 
 // ===================================================================
 
@@ -100,7 +100,7 @@ class AuthLdap {
     this._authenticate = bind(this._authenticate, this)
   }
 
-  configure (conf) {
+  async configure (conf) {
     const clientOpts = this._clientOpts = {
       url: conf.uri,
       maxConnections: 5,
@@ -123,8 +123,9 @@ class AuthLdap {
 
       tlsOptions.rejectUnauthorized = checkCertificate
       if (certificateAuthorities) {
-        // FIXME: should be async!!!
-        tlsOptions.ca = certificateAuthorities.map(path => readFileSync(path))
+        tlsOptions.ca = await Promise.all(
+          certificateAuthorities.map(path => readFile(path))
+        )
       }
     }