diff --git a/ansible/group_vars/all/sssd b/ansible/group_vars/all/sssd
index 8d34011..f072bf0 100644
--- a/ansible/group_vars/all/sssd
+++ b/ansible/group_vars/all/sssd
@@ -1,5 +1,5 @@
 sssd_configure: true
 # sssd_configure is False by default - by default nothing is done by this role.
-ldap_search_base: "dc=ducamps,dc=win"
-ldap_uri: "ldaps://ldap.ducamps.eu"
-ldap_sudo_search_base: "ou=sudoers,dc=ducamps,dc=win"
+ldap_search_base: "dc=ducamps,dc=eu"
+ldap_uri: "ldaps://ldaps.service.consul"
+ldap_sudo_search_base: "ou=sudoers,dc=ducamps,dc=eu"
diff --git a/ansible/group_vars/all/vault_sssd b/ansible/group_vars/all/vault_sssd
index 855815c..d1329d8 100644
--- a/ansible/group_vars/all/vault_sssd
+++ b/ansible/group_vars/all/vault_sssd
@@ -1,11 +1,11 @@
 $ANSIBLE_VAULT;1.1;AES256
-34356264306639303930393736376562653636383538623131343939323563653938616534623163
-6536366261666662376533393836626664373766313439660a363331326231303638626165393164
-63323063623365393566643230653964393565636430303365653233323931646236366664346430
-3162383233656139320a323133323262386638363738346336613862626539386538633864613131
-30306539376639303365323665613732616138346530346162633761386466626238373065316230
-38396662363364336134306130616661643835616161313535613331303133383334393333653335
-66363538313631373736396333363837376664616166663665343030336232346237333965303861
-36613763666135393531653637616463333461343232366137656336383239623166633338646561
-39336563636665396666663339306534643661366264623061626661343762373037383037373561
-3431656130306133323436616531343034366665636434333362
+61653964333030326633346130613633373333663037316165313436336235376362346237383463
+3835663564663137643565636431353465386338363665620a343031373230623564616635373337
+38653431623135313436643737633932656236666562623837303262323838663564343862653835
+3332346662383935300a646437326262613231616137393664633963623832393633646530613037
+35326335333432383939346132356465313164336434316439633236396465333366666435353535
+35646465313336336466653964303533373133613861626634623363623036643363323063616630
+64636135323431653235643364316238666135626230316537363132313138656532306636333734
+64356532653432613535623761303634353964633162333465393135653338323437336362616164
+63313430303438323535346331386463393535376564346564643363626434626432333031653838
+3332616466306466336161393066633239363463363863323739
diff --git a/nomad-job/openldap/memberofOverlay.ldif b/nomad-job/openldap/memberofOverlay.ldif
new file mode 100644
index 0000000..a0c7b66
--- /dev/null
+++ b/nomad-job/openldap/memberofOverlay.ldif
@@ -0,0 +1,31 @@
+dn: cn=module,cn=config
+cn: module
+objectClass: olcModuleList
+olcModuleLoad: memberof
+olcModuleLoad: refint
+olcModulePath: /opt/bitnami/openldap/lib/openldap
+
+dn: olcOverlay={0}memberof,olcDatabase={2}mdb,cn=config
+objectClass: olcConfig
+objectClass: olcMemberOf
+objectClass: olcOverlayConfig
+objectClass: top
+olcOverlay: memberof
+olcMemberOfDangling: ignore
+olcMemberOfRefInt: TRUE
+olcMemberOfGroupOC: groupOfNames
+olcMemberOfMemberAD: member
+olcMemberOfMemberOfAD: memberOf
+
+
+dn: olcOverlay={1}refint,olcDatabase={2}mdb,cn=config
+objectClass: olcConfig
+objectClass: olcOverlayConfig
+objectClass: olcRefintConfig
+objectClass: top
+olcOverlay: {1}refint
+olcRefintAttribute: memberof 
+olcRefintAttribute: member
+olcRefintAttribute: manager
+olcRefintAttribute: owner
+
diff --git a/nomad-job/openldap/openldap.nomad.hcl b/nomad-job/openldap/openldap.nomad.hcl
new file mode 100644
index 0000000..2e86424
--- /dev/null
+++ b/nomad-job/openldap/openldap.nomad.hcl
@@ -0,0 +1,164 @@
+
+job "openldap" {
+  datacenters = ["homelab"]
+  priority    = 90
+  type        = "service"
+  meta {
+    forcedeploy = "1"
+  }
+  constraint {
+    attribute = "${attr.cpu.arch}"
+    value     = "amd64"
+  }
+  vault {
+    policies = ["ldap"]
+  }
+  group "openldap" {
+    network {
+      mode = "host"
+      port "ldap" {
+        static = 389
+        to     = 1389
+      }
+      port "ldaps" {
+        static = 636
+        to     = 1636
+      }
+
+    }
+    task "selfsignedCertificate" {
+      lifecycle {
+        hook= "prestart"
+        sidecar = false
+      }
+      driver= "docker"
+      config{
+        image= "stakater/ssl-certs-generator"
+        mount {
+          type = "bind"
+          source = "..${NOMAD_ALLOC_DIR}/data"
+          target = "/certs"
+        }
+      }
+      env {
+        SSL_DNS="ldaps.service.consul,ldap.service.consul"
+      }
+    }
+    task "openldap" {
+      driver = "docker"
+      service {
+        name = "ldap"
+        port = "ldap"
+        tags = [
+        ]
+      }
+      service {
+        name = "ldaps"
+        port = "ldaps"
+        tags = [
+        ]
+      }
+
+      config {
+        image = "bitnami/openldap"
+        ports = ["ldap", "ldaps"]
+        volumes = [
+          "/mnt/diskstation/nomad/openldap:/bitnami/openldap",
+        ]
+
+      }
+      env {
+        LDAP_ADMIN_USERNAME     = "admin"
+        LDAP_ROOT               = "dc=ducamps,dc=eu"
+        LDAP_EXTRA_SCHEMAS      = "cosine, inetorgperson"
+        LDAP_CUSTOM_SCHEMA_DIR  = "/local/schema"
+        LDAP_CUSTOM_LDIF_DIR    = "/local/ldif"
+        LDAP_CONFIGURE_PPOLICY  = "yes"
+        LDAP_ALLOW_ANON_BINDING = "no"
+        LDAP_LOGLEVEL           = 64
+        LDAP_ENABLE_TLS         = "yes"
+        LDAP_TLS_CERT_FILE = "${NOMAD_ALLOC_DIR}/data/cert.pem"
+        LDAP_TLS_KEY_FILE = "${NOMAD_ALLOC_DIR}/data/key.pem"
+        LDAP_TLS_CA_FILE = "${NOMAD_ALLOC_DIR}/data/ca.pem"
+
+      }
+      #memberOf issue
+      #https://github.com/bitnami/containers/issues/28335
+      # https://tylersguides.com/guides/openldap-memberof-overlay
+
+
+      template {
+        data        = file("memberofOverlay.ldif")
+        destination = "local/schema/memberofOverlay.ldif"
+      }
+      template {
+        data        = file("smbkrb5pwd.ldif")
+        destination = "local/smbkrb5pwd.ldif"
+      }
+      template {
+        data        = file("rfc2307bis.ldif")
+        destination = "local/schema/rfc2307bis.ldif"
+      }
+      template {
+        data        = file("samba.ldif")
+        destination = "local/schema/samba.ldif"
+      }
+      template {
+        data        = file("tree.ldif")
+        destination = "local/ldif/tree.ldif"
+      }
+      resources {
+        memory = 300
+      }
+    }
+  }
+  group ldpp-user-manager{ 
+    network{
+      mode = "host"
+      port "http" {
+        to = 80
+      }
+    }
+    task ldap-user-manager {
+      driver = "docker"
+      service {
+        name = "ldap-user-manager"
+        port = "http"
+        tags = [
+          "traefik.enable=true",
+          "traefik.http.routers.${NOMAD_JOB_NAME}.rule=Host(`ldap.ducamps.eu`)",
+          "traefik.http.routers.${NOMAD_JOB_NAME}.tls.domains[0].sans=ldap.ducamps.win",
+          "traefik.http.routers.${NOMAD_JOB_NAME}.tls.certresolver=myresolver",
+        ]
+      }
+      config {
+        image = "wheelybird/ldap-user-manager"
+        ports = ["http"]
+      }
+      template {
+        data        = <<EOH
+          SERVER_HOSTNAME="ldap.ducamps.eu"
+          LDAP_URI="ldaps://ldaps.service.consul"
+          LDAP_BASE_DN="dc=ducamps,dc=eu"
+          LDAP_ADMIN_BIND_DN="cn=admin,dc=ducamps,dc=eu"
+          LDAP_GROUP_MEMBERSHIP_ATTRIBUTE = "member"
+          {{ with secret "secrets/data/nomad/ldap"}}
+          LDAP_ADMIN_BIND_PWD="{{ .Data.data.admin}}"
+          {{end}}
+          LDAP_IGNORE_CERT_ERRORS="true"
+          LDAP_REQUIRE_STARTTLS="false"
+          LDAP_ADMINS_GROUP="LDAP Operators"
+          LDAP_USER_OU="users"
+          NO_HTTPS="true"
+          EMAIL_DOMAIN="ducamps.eu"
+
+        EOH
+        destination = "secrets/env"
+        env         = true
+      }
+    }
+  }
+
+}
+
+
diff --git a/nomad-job/openldap/rfc2307bis.ldif b/nomad-job/openldap/rfc2307bis.ldif
new file mode 100644
index 0000000..1ab3083
--- /dev/null
+++ b/nomad-job/openldap/rfc2307bis.ldif
@@ -0,0 +1,159 @@
+# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
+# CRC32 6b6ad917
+dn: cn=rfc2307bis,cn=schema,cn=config
+objectClass: olcSchemaConfig
+cn: rfc2307bis
+olcAttributeTypes: {0}( 1.3.6.1.1.1.1.2 NAME 'gecos' DESC 'The GECOS field; 
+ the common name' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch 
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
+olcAttributeTypes: {1}( 1.3.6.1.1.1.1.3 NAME 'homeDirectory' DESC 'The absol
+ ute path to the home directory' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4
+ .1.1466.115.121.1.26 SINGLE-VALUE )
+olcAttributeTypes: {2}( 1.3.6.1.1.1.1.4 NAME 'loginShell' DESC 'The path to 
+ the login shell' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121
+ .1.26 SINGLE-VALUE )
+olcAttributeTypes: {3}( 1.3.6.1.1.1.1.5 NAME 'shadowLastChange' EQUALITY int
+ egerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.2
+ 7 SINGLE-VALUE )
+olcAttributeTypes: {4}( 1.3.6.1.1.1.1.6 NAME 'shadowMin' EQUALITY integerMat
+ ch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGL
+ E-VALUE )
+olcAttributeTypes: {5}( 1.3.6.1.1.1.1.7 NAME 'shadowMax' EQUALITY integerMat
+ ch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGL
+ E-VALUE )
+olcAttributeTypes: {6}( 1.3.6.1.1.1.1.8 NAME 'shadowWarning' EQUALITY intege
+ rMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 S
+ INGLE-VALUE )
+olcAttributeTypes: {7}( 1.3.6.1.1.1.1.9 NAME 'shadowInactive' EQUALITY integ
+ erMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 
+ SINGLE-VALUE )
+olcAttributeTypes: {8}( 1.3.6.1.1.1.1.10 NAME 'shadowExpire' EQUALITY intege
+ rMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 S
+ INGLE-VALUE )
+olcAttributeTypes: {9}( 1.3.6.1.1.1.1.11 NAME 'shadowFlag' EQUALITY integerM
+ atch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SIN
+ GLE-VALUE )
+olcAttributeTypes: {10}( 1.3.6.1.1.1.1.12 NAME 'memberUid' EQUALITY caseExac
+ tMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
+olcAttributeTypes: {11}( 1.3.6.1.1.1.1.13 NAME 'memberNisNetgroup' EQUALITY 
+ caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
+olcAttributeTypes: {12}( 1.3.6.1.1.1.1.14 NAME 'nisNetgroupTriple' DESC 'Net
+ group triple' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYN
+ TAX 1.3.6.1.4.1.1466.115.121.1.15 )
+olcAttributeTypes: {13}( 1.3.6.1.1.1.1.15 NAME 'ipServicePort' DESC 'Service
+  port number' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.
+ 3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+olcAttributeTypes: {14}( 1.3.6.1.1.1.1.16 NAME 'ipServiceProtocol' DESC 'Ser
+ vice protocol name' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.12
+ 1.1.15 )
+olcAttributeTypes: {15}( 1.3.6.1.1.1.1.17 NAME 'ipProtocolNumber' DESC 'IP p
+ rotocol number' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 
+ 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+olcAttributeTypes: {16}( 1.3.6.1.1.1.1.18 NAME 'oncRpcNumber' DESC 'ONC RPC 
+ number' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.
+ 4.1.1466.115.121.1.27 SINGLE-VALUE )
+olcAttributeTypes: {17}( 1.3.6.1.1.1.1.19 NAME 'ipHostNumber' DESC 'IPv4 add
+ resses as a dotted decimal omitting leading               zeros or IPv6 add
+ resses as defined in RFC2373' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.
+ 1.1466.115.121.1.26 )
+olcAttributeTypes: {18}( 1.3.6.1.1.1.1.20 NAME 'ipNetworkNumber' DESC 'IP ne
+ twork omitting leading zeros, eg. 192.168' EQUALITY caseIgnoreIA5Match SYNT
+ AX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
+olcAttributeTypes: {19}( 1.3.6.1.1.1.1.21 NAME 'ipNetmaskNumber' DESC 'IP ne
+ tmask omitting leading zeros, eg. 255.255.255.0' EQUALITY caseIgnoreIA5Matc
+ h SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
+olcAttributeTypes: {20}( 1.3.6.1.1.1.1.22 NAME 'macAddress' DESC 'MAC addres
+ s in maximal, colon separated hex               notation, eg. 00:00:92:90:e
+ e:e2' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+olcAttributeTypes: {21}( 1.3.6.1.1.1.1.23 NAME 'bootParameter' DESC 'rpc.boo
+ tparamd parameter' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.1
+ 21.1.26 )
+olcAttributeTypes: {22}( 1.3.6.1.1.1.1.24 NAME 'bootFile' DESC 'Boot image n
+ ame' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+olcAttributeTypes: {23}( 1.3.6.1.1.1.1.26 NAME 'nisMapName' DESC 'Name of a 
+ generic NIS map' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1
+ .15{64} )
+olcAttributeTypes: {24}( 1.3.6.1.1.1.1.27 NAME 'nisMapEntry' DESC 'A generic
+  NIS entry' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{10
+ 24} SINGLE-VALUE )
+olcAttributeTypes: {25}( 1.3.6.1.1.1.1.28 NAME 'nisPublicKey' DESC 'NIS publ
+ ic key' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SING
+ LE-VALUE )
+olcAttributeTypes: {26}( 1.3.6.1.1.1.1.29 NAME 'nisSecretKey' DESC 'NIS secr
+ et key' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SING
+ LE-VALUE )
+olcAttributeTypes: {27}( 1.3.6.1.1.1.1.30 NAME 'nisDomain' DESC 'NIS domain'
+  EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} )
+olcAttributeTypes: {28}( 1.3.6.1.1.1.1.31 NAME 'automountMapName' DESC 'auto
+ mount Map Name' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.1
+ 5 SINGLE-VALUE )
+olcAttributeTypes: {29}( 1.3.6.1.1.1.1.32 NAME 'automountKey' DESC 'Automoun
+ t Key value' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 S
+ INGLE-VALUE )
+olcAttributeTypes: {30}( 1.3.6.1.1.1.1.33 NAME 'automountInformation' DESC '
+ Automount information' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.
+ 121.1.15 SINGLE-VALUE )
+olcObjectClasses: {0}( 1.3.6.1.1.1.2.0 NAME 'posixAccount' DESC 'Abstraction
+  of an account with POSIX attributes' SUP top AUXILIARY MUST ( cn $ uid $ u
+ idNumber $ gidNumber $ homeDirectory ) MAY ( userPassword $ loginShell $ ge
+ cos $ description ) )
+olcObjectClasses: {1}( 1.3.6.1.1.1.2.1 NAME 'shadowAccount' DESC 'Additional
+  attributes for shadow passwords' SUP top AUXILIARY MUST uid MAY ( userPass
+ word $ description $ shadowLastChange $ shadowMin $ shadowMax $ shadowWarni
+ ng $ shadowInactive $ shadowExpire $ shadowFlag ) )
+olcObjectClasses: {2}( 1.3.6.1.1.1.2.2 NAME 'posixGroup' DESC 'Abstraction o
+ f a group of accounts' SUP top AUXILIARY MUST gidNumber MAY ( userPassword 
+ $ memberUid $ description ) )
+olcObjectClasses: {3}( 1.3.6.1.1.1.2.3 NAME 'ipService' DESC 'Abstraction an
+  Internet Protocol service.               Maps an IP port and protocol (suc
+ h as tcp or udp)               to one or more names; the distinguished valu
+ e of               the cn attribute denotes the services canonical         
+       name' SUP top STRUCTURAL MUST ( cn $ ipServicePort $ ipServiceProtoco
+ l ) MAY description )
+olcObjectClasses: {4}( 1.3.6.1.1.1.2.4 NAME 'ipProtocol' DESC 'Abstraction o
+ f an IP protocol. Maps a protocol number               to one or more names
+ . The distinguished value of the cn               attribute denotes the pro
+ tocol canonical name' SUP top STRUCTURAL MUST ( cn $ ipProtocolNumber ) MAY
+  description )
+olcObjectClasses: {5}( 1.3.6.1.1.1.2.5 NAME 'oncRpc' DESC 'Abstraction of an
+  Open Network Computing (ONC)              [RFC1057] Remote Procedure Call 
+ (RPC) binding.              This class maps an ONC RPC number to a name.   
+            The distinguished value of the cn attribute denotes             
+  the RPC service canonical name' SUP top STRUCTURAL MUST ( cn $ oncRpcNumbe
+ r ) MAY description )
+olcObjectClasses: {6}( 1.3.6.1.1.1.2.6 NAME 'ipHost' DESC 'Abstraction of a 
+ host, an IP device. The distinguished               value of the cn attribu
+ te denotes the hosts canonical            name. Device SHOULD be used as a 
+ structural class' SUP top AUXILIARY MUST ( cn $ ipHostNumber ) MAY ( userPa
+ ssword $ l $ description $ manager ) )
+olcObjectClasses: {7}( 1.3.6.1.1.1.2.7 NAME 'ipNetwork' DESC 'Abstraction of
+  a network. The distinguished value of               the cn attribute denot
+ es the network canonical name' SUP top STRUCTURAL MUST ipNetworkNumber MAY 
+ ( cn $ ipNetmaskNumber $ l $ description $ manager ) )
+olcObjectClasses: {8}( 1.3.6.1.1.1.2.8 NAME 'nisNetgroup' DESC 'Abstraction 
+ of a netgroup. May refer to other               netgroups' SUP top STRUCTUR
+ AL MUST cn MAY ( nisNetgroupTriple $ memberNisNetgroup $ description ) )
+olcObjectClasses: {9}( 1.3.6.1.1.1.2.9 NAME 'nisMap' DESC 'A generic abstrac
+ tion of a NIS map' SUP top STRUCTURAL MUST nisMapName MAY description )
+olcObjectClasses: {10}( 1.3.6.1.1.1.2.10 NAME 'nisObject' DESC 'An entry in 
+ a NIS map' SUP top STRUCTURAL MUST ( cn $ nisMapEntry $ nisMapName ) )
+olcObjectClasses: {11}( 1.3.6.1.1.1.2.11 NAME 'ieee802Device' DESC 'A device
+  with a MAC address; device SHOULD be               used as a structural cl
+ ass' SUP top AUXILIARY MAY macAddress )
+olcObjectClasses: {12}( 1.3.6.1.1.1.2.12 NAME 'bootableDevice' DESC 'A devic
+ e with boot parameters; device SHOULD be               used as a structural
+  class' SUP top AUXILIARY MAY ( bootFile $ bootParameter ) )
+olcObjectClasses: {13}( 1.3.6.1.1.1.2.14 NAME 'nisKeyObject' DESC 'An object
+  with a public and secret key' SUP top AUXILIARY MUST ( cn $ nisPublicKey $
+  nisSecretKey ) MAY ( uidNumber $ description ) )
+olcObjectClasses: {14}( 1.3.6.1.1.1.2.15 NAME 'nisDomainObject' DESC 'Associ
+ ates a NIS domain with a naming context' SUP top AUXILIARY MUST nisDomain )
+olcObjectClasses: {15}( 1.3.6.1.1.1.2.16 NAME 'automountMap' SUP top STRUCTU
+ RAL MUST automountMapName MAY description )
+olcObjectClasses: {16}( 1.3.6.1.1.1.2.17 NAME 'automount' DESC 'Automount in
+ formation' SUP top STRUCTURAL MUST ( automountKey $ automountInformation ) 
+ MAY description )
+olcObjectClasses: {17}( 1.3.6.1.1.1.2.18 NAME 'groupOfMembers' DESC 'A group
+  with members (DNs)' SUP top STRUCTURAL MUST cn MAY ( businessCategory $ se
+ eAlso $ owner $ ou $ o $ description $ member ) )
+
diff --git a/nomad-job/openldap/samba.ldif b/nomad-job/openldap/samba.ldif
new file mode 100644
index 0000000..3ba0fee
--- /dev/null
+++ b/nomad-job/openldap/samba.ldif
@@ -0,0 +1,225 @@
+dn: cn=samba,cn=schema,cn=config
+objectClass: olcSchemaConfig
+cn: samba
+olcAttributeTypes: {0}( 1.3.6.1.4.1.7165.2.1.24 NAME 'sambaLMPassword' DESC 'L
+ anManager Password' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.1
+ 21.1.26{32} SINGLE-VALUE )
+olcAttributeTypes: {1}( 1.3.6.1.4.1.7165.2.1.25 NAME 'sambaNTPassword' DESC 'M
+ D4 hash of the unicode password' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4
+ .1.1466.115.121.1.26{32} SINGLE-VALUE )
+olcAttributeTypes: {2}( 1.3.6.1.4.1.7165.2.1.26 NAME 'sambaAcctFlags' DESC 'Ac
+ count Flags' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
+ {16} SINGLE-VALUE )
+olcAttributeTypes: {3}( 1.3.6.1.4.1.7165.2.1.27 NAME 'sambaPwdLastSet' DESC 'T
+ imestamp of the last password update' EQUALITY integerMatch SYNTAX 1.3.6.1.4.
+ 1.1466.115.121.1.27 SINGLE-VALUE )
+olcAttributeTypes: {4}( 1.3.6.1.4.1.7165.2.1.28 NAME 'sambaPwdCanChange' DESC 
+ 'Timestamp of when the user is allowed to update the password' EQUALITY integ
+ erMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+olcAttributeTypes: {5}( 1.3.6.1.4.1.7165.2.1.29 NAME 'sambaPwdMustChange' DESC
+  'Timestamp of when the password will expire' EQUALITY integerMatch SYNTAX 1.
+ 3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+olcAttributeTypes: {6}( 1.3.6.1.4.1.7165.2.1.30 NAME 'sambaLogonTime' DESC 'Ti
+ mestamp of last logon' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.
+ 1.27 SINGLE-VALUE )
+olcAttributeTypes: {7}( 1.3.6.1.4.1.7165.2.1.31 NAME 'sambaLogoffTime' DESC 'T
+ imestamp of last logoff' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.12
+ 1.1.27 SINGLE-VALUE )
+olcAttributeTypes: {8}( 1.3.6.1.4.1.7165.2.1.32 NAME 'sambaKickoffTime' DESC '
+ Timestamp of when the user will be logged off automatically' EQUALITY integer
+ Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+olcAttributeTypes: {9}( 1.3.6.1.4.1.7165.2.1.48 NAME 'sambaBadPasswordCount' D
+ ESC 'Bad password attempt count' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.146
+ 6.115.121.1.27 SINGLE-VALUE )
+olcAttributeTypes: {10}( 1.3.6.1.4.1.7165.2.1.49 NAME 'sambaBadPasswordTime' D
+ ESC 'Time of the last bad password attempt' EQUALITY integerMatch SYNTAX 1.3.
+ 6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+olcAttributeTypes: {11}( 1.3.6.1.4.1.7165.2.1.55 NAME 'sambaLogonHours' DESC '
+ Logon Hours' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
+ {42} SINGLE-VALUE )
+olcAttributeTypes: {12}( 1.3.6.1.4.1.7165.2.1.33 NAME 'sambaHomeDrive' DESC 'D
+ river letter of home directory mapping' EQUALITY caseIgnoreIA5Match SYNTAX 1.
+ 3.6.1.4.1.1466.115.121.1.26{4} SINGLE-VALUE )
+olcAttributeTypes: {13}( 1.3.6.1.4.1.7165.2.1.34 NAME 'sambaLogonScript' DESC 
+ 'Logon script path' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.
+ 1.15{255} SINGLE-VALUE )
+olcAttributeTypes: {14}( 1.3.6.1.4.1.7165.2.1.35 NAME 'sambaProfilePath' DESC 
+ 'Roaming profile path' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.1
+ 21.1.15{255} SINGLE-VALUE )
+olcAttributeTypes: {15}( 1.3.6.1.4.1.7165.2.1.36 NAME 'sambaUserWorkstations' 
+ DESC 'List of user workstations the user is allowed to logon to' EQUALITY cas
+ eIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{255} SINGLE-VALUE )
+olcAttributeTypes: {16}( 1.3.6.1.4.1.7165.2.1.37 NAME 'sambaHomePath' DESC 'Ho
+ me directory UNC path' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.1
+ 21.1.15{128} )
+olcAttributeTypes: {17}( 1.3.6.1.4.1.7165.2.1.38 NAME 'sambaDomainName' DESC '
+ Windows NT domain to which the user belongs' EQUALITY caseIgnoreMatch SYNTAX 
+ 1.3.6.1.4.1.1466.115.121.1.15{128} )
+olcAttributeTypes: {18}( 1.3.6.1.4.1.7165.2.1.47 NAME 'sambaMungedDial' DESC '
+ Base64 encoded user parameter string' EQUALITY caseExactMatch SYNTAX 1.3.6.1.
+ 4.1.1466.115.121.1.15{1050} )
+olcAttributeTypes: {19}( 1.3.6.1.4.1.7165.2.1.54 NAME 'sambaPasswordHistory' D
+ ESC 'Concatenated MD5 hashes of the salted NT passwords used on this account'
+  EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{32} )
+olcAttributeTypes: {20}( 1.3.6.1.4.1.7165.2.1.20 NAME 'sambaSID' DESC 'Securit
+ y ID' EQUALITY caseIgnoreIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1
+ .3.6.1.4.1.1466.115.121.1.26{64} SINGLE-VALUE )
+olcAttributeTypes: {21}( 1.3.6.1.4.1.7165.2.1.23 NAME 'sambaPrimaryGroupSID' D
+ ESC 'Primary Group Security ID' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.
+ 1.1466.115.121.1.26{64} SINGLE-VALUE )
+olcAttributeTypes: {22}( 1.3.6.1.4.1.7165.2.1.51 NAME 'sambaSIDList' DESC 'Sec
+ urity ID List' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.
+ 26{64} )
+olcAttributeTypes: {23}( 1.3.6.1.4.1.7165.2.1.19 NAME 'sambaGroupType' DESC 'N
+ T Group Type' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SING
+ LE-VALUE )
+olcAttributeTypes: {24}( 1.3.6.1.4.1.7165.2.1.21 NAME 'sambaNextUserRid' DESC 
+ 'Next NT rid to give our for users' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.
+ 1466.115.121.1.27 SINGLE-VALUE )
+olcAttributeTypes: {25}( 1.3.6.1.4.1.7165.2.1.22 NAME 'sambaNextGroupRid' DESC
+  'Next NT rid to give out for groups' EQUALITY integerMatch SYNTAX 1.3.6.1.4.
+ 1.1466.115.121.1.27 SINGLE-VALUE )
+olcAttributeTypes: {26}( 1.3.6.1.4.1.7165.2.1.39 NAME 'sambaNextRid' DESC 'Nex
+ t NT rid to give out for anything' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1
+ 466.115.121.1.27 SINGLE-VALUE )
+olcAttributeTypes: {27}( 1.3.6.1.4.1.7165.2.1.40 NAME 'sambaAlgorithmicRidBase
+ ' DESC 'Base at which the samba RID generation algorithm should operate' EQUA
+ LITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+olcAttributeTypes: {28}( 1.3.6.1.4.1.7165.2.1.41 NAME 'sambaShareName' DESC 'S
+ hare Name' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SING
+ LE-VALUE )
+olcAttributeTypes: {29}( 1.3.6.1.4.1.7165.2.1.42 NAME 'sambaOptionName' DESC '
+ Option Name' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX
+  1.3.6.1.4.1.1466.115.121.1.15{256} )
+olcAttributeTypes: {30}( 1.3.6.1.4.1.7165.2.1.43 NAME 'sambaBoolOption' DESC '
+ A boolean option' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 S
+ INGLE-VALUE )
+olcAttributeTypes: {31}( 1.3.6.1.4.1.7165.2.1.44 NAME 'sambaIntegerOption' DES
+ C 'An integer option' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1
+ .27 SINGLE-VALUE )
+olcAttributeTypes: {32}( 1.3.6.1.4.1.7165.2.1.45 NAME 'sambaStringOption' DESC
+  'A string option' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121
+ .1.26 SINGLE-VALUE )
+olcAttributeTypes: {33}( 1.3.6.1.4.1.7165.2.1.46 NAME 'sambaStringListOption' 
+ DESC 'A string list option' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.
+ 115.121.1.15 )
+olcAttributeTypes: {34}( 1.3.6.1.4.1.7165.2.1.53 NAME 'sambaTrustFlags' DESC '
+ Trust Password Flags' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115
+ .121.1.26 )
+olcAttributeTypes: {35}( 1.3.6.1.4.1.7165.2.1.58 NAME 'sambaMinPwdLength' DESC
+  'Minimal password length (default: 5)' EQUALITY integerMatch SYNTAX 1.3.6.1.
+ 4.1.1466.115.121.1.27 SINGLE-VALUE )
+olcAttributeTypes: {36}( 1.3.6.1.4.1.7165.2.1.59 NAME 'sambaPwdHistoryLength' 
+ DESC 'Length of Password History Entries (default: 0 => off)' EQUALITY intege
+ rMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+olcAttributeTypes: {37}( 1.3.6.1.4.1.7165.2.1.60 NAME 'sambaLogonToChgPwd' DES
+ C 'Force Users to logon for password change (default: 0 => off, 2 => on)' EQU
+ ALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+olcAttributeTypes: {38}( 1.3.6.1.4.1.7165.2.1.61 NAME 'sambaMaxPwdAge' DESC 'M
+ aximum password age, in seconds (default: -1 => never expire passwords)' EQUA
+ LITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+olcAttributeTypes: {39}( 1.3.6.1.4.1.7165.2.1.62 NAME 'sambaMinPwdAge' DESC 'M
+ inimum password age, in seconds (default: 0 => allow immediate password chang
+ e)' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+olcAttributeTypes: {40}( 1.3.6.1.4.1.7165.2.1.63 NAME 'sambaLockoutDuration' D
+ ESC 'Lockout duration in minutes (default: 30, -1 => forever)' EQUALITY integ
+ erMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+olcAttributeTypes: {41}( 1.3.6.1.4.1.7165.2.1.64 NAME 'sambaLockoutObservation
+ Window' DESC 'Reset time after lockout in minutes (default: 30)' EQUALITY int
+ egerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+olcAttributeTypes: {42}( 1.3.6.1.4.1.7165.2.1.65 NAME 'sambaLockoutThreshold' 
+ DESC 'Lockout users after bad logon attempts (default: 0 => off)' EQUALITY in
+ tegerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+olcAttributeTypes: {43}( 1.3.6.1.4.1.7165.2.1.66 NAME 'sambaForceLogoff' DESC 
+ 'Disconnect Users outside logon hours (default: -1 => off, 0 => on)' EQUALITY
+  integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+olcAttributeTypes: {44}( 1.3.6.1.4.1.7165.2.1.67 NAME 'sambaRefuseMachinePwdCh
+ ange' DESC 'Allow Machine Password changes (default: 0 => off)' EQUALITY inte
+ gerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+olcAttributeTypes: {45}( 1.3.6.1.4.1.7165.2.1.68 NAME 'sambaClearTextPassword'
+  DESC 'Clear text password (used for trusted domain passwords)' EQUALITY octe
+ tStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
+olcAttributeTypes: {46}( 1.3.6.1.4.1.7165.2.1.69 NAME 'sambaPreviousClearTextP
+ assword' DESC 'Previous clear text password (used for trusted domain password
+ s)' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
+olcAttributeTypes: {47}( 1.3.6.1.4.1.7165.2.1.70 NAME 'sambaTrustType' DESC 'T
+ ype of trust' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SING
+ LE-VALUE )
+olcAttributeTypes: {48}( 1.3.6.1.4.1.7165.2.1.71 NAME 'sambaTrustAttributes' D
+ ESC 'Trust attributes for a trusted domain' EQUALITY integerMatch SYNTAX 1.3.
+ 6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+olcAttributeTypes: {49}( 1.3.6.1.4.1.7165.2.1.72 NAME 'sambaTrustDirection' DE
+ SC 'Direction of a trust' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.1
+ 21.1.27 SINGLE-VALUE )
+olcAttributeTypes: {50}( 1.3.6.1.4.1.7165.2.1.73 NAME 'sambaTrustPartner' DESC
+  'Fully qualified name of the domain with which a trust exists' EQUALITY case
+ IgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} )
+olcAttributeTypes: {51}( 1.3.6.1.4.1.7165.2.1.74 NAME 'sambaFlatName' DESC 'Ne
+ tBIOS name of a domain' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.
+ 121.1.15{128} )
+olcAttributeTypes: {52}( 1.3.6.1.4.1.7165.2.1.75 NAME 'sambaTrustAuthOutgoing'
+ DESC 'Authentication information for the outgoing portion of a trust' EQUALIT
+ Y caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1050} )
+olcAttributeTypes: {53}( 1.3.6.1.4.1.7165.2.1.76 NAME 'sambaTrustAuthIncoming'
+ DESC 'Authentication information for the incoming portion of a trust' EQUALIT
+ Y caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1050} )
+olcAttributeTypes: {54}( 1.3.6.1.4.1.7165.2.1.77 NAME 'sambaSecurityIdentifier
+ ' DESC 'SID of a trusted domain' EQUALITY caseIgnoreIA5Match SUBSTR caseExact
+ IA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} SINGLE-VALUE )
+olcAttributeTypes: {55}( 1.3.6.1.4.1.7165.2.1.78 NAME 'sambaTrustForestTrustIn
+ fo' DESC 'Forest trust information for a trusted domain object' EQUALITY case
+ ExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1050} )
+olcAttributeTypes: {56}( 1.3.6.1.4.1.7165.2.1.79 NAME 'sambaTrustPosixOffset'
+ DESC 'POSIX offset of a trust' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.
+ 115.121.1.27 SINGLE-VALUE )
+olcAttributeTypes: {57}( 1.3.6.1.4.1.7165.2.1.80 NAME 'sambaSupportedEncryptio
+ nTypes' DESC 'Supported encryption types of a trust' EQUALITY integerMatch SY
+ NTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+olcObjectClasses: {0}( 1.3.6.1.4.1.7165.2.2.6 NAME 'sambaSamAccount' DESC 'Sam
+ ba 3.0 Auxilary SAM Account' SUP top AUXILIARY MUST ( uid $ sambaSID ) MAY ( 
+ cn $ sambaLMPassword $ sambaNTPassword $ sambaPwdLastSet $ sambaLogonTime $ s
+ ambaLogoffTime $ sambaKickoffTime $ sambaPwdCanChange $ sambaPwdMustChange $ 
+ sambaAcctFlags $ displayName $ sambaHomePath $ sambaHomeDrive $ sambaLogonScr
+ ipt $ sambaProfilePath $ description $ sambaUserWorkstations $ sambaPrimaryGr
+ oupSID $ sambaDomainName $ sambaMungedDial $ sambaBadPasswordCount $ sambaBad
+ PasswordTime $ sambaPasswordHistory $ sambaLogonHours ) )
+olcObjectClasses: {1}( 1.3.6.1.4.1.7165.2.2.4 NAME 'sambaGroupMapping' DESC 'S
+ amba Group Mapping' SUP top AUXILIARY MUST ( gidNumber $ sambaSID $ sambaGrou
+ pType ) MAY ( displayName $ description $ sambaSIDList ) )
+olcObjectClasses: {2}( 1.3.6.1.4.1.7165.2.2.14 NAME 'sambaTrustPassword' DESC 
+ 'Samba Trust Password' SUP top STRUCTURAL MUST ( sambaDomainName $ sambaNTPas
+ sword $ sambaTrustFlags ) MAY ( sambaSID $ sambaPwdLastSet ) )
+olcObjectClasses: {3}( 1.3.6.1.4.1.7165.2.2.15 NAME 'sambaTrustedDomainPasswor
+ d' DESC 'Samba Trusted Domain Password' SUP top STRUCTURAL MUST ( sambaDomain
+ Name $ sambaSID $ sambaClearTextPassword $ sambaPwdLastSet ) MAY sambaPreviou
+ sClearTextPassword )
+olcObjectClasses: {4}( 1.3.6.1.4.1.7165.2.2.5 NAME 'sambaDomain' DESC 'Samba D
+ omain Information' SUP top STRUCTURAL MUST ( sambaDomainName $ sambaSID ) MAY
+  ( sambaNextRid $ sambaNextGroupRid $ sambaNextUserRid $ sambaAlgorithmicRidB
+ ase $ sambaMinPwdLength $ sambaPwdHistoryLength $ sambaLogonToChgPwd $ sambaM
+ axPwdAge $ sambaMinPwdAge $ sambaLockoutDuration $ sambaLockoutObservationWin
+ dow $ sambaLockoutThreshold $ sambaForceLogoff $ sambaRefuseMachinePwdChange 
+ ) )
+olcObjectClasses: {5}( 1.3.6.1.4.1.7165.2.2.7 NAME 'sambaUnixIdPool' DESC 'Poo
+ l for allocating UNIX uids/gids' SUP top AUXILIARY MUST ( uidNumber $ gidNumb
+ er ) )
+olcObjectClasses: {6}( 1.3.6.1.4.1.7165.2.2.8 NAME 'sambaIdmapEntry' DESC 'Map
+ ping from a SID to an ID' SUP top AUXILIARY MUST sambaSID MAY ( uidNumber $ g
+ idNumber ) )
+olcObjectClasses: {7}( 1.3.6.1.4.1.7165.2.2.9 NAME 'sambaSidEntry' DESC 'Struc
+ tural Class for a SID' SUP top STRUCTURAL MUST sambaSID )
+olcObjectClasses: {8}( 1.3.6.1.4.1.7165.2.2.10 NAME 'sambaConfig' DESC 'Samba 
+ Configuration Section' SUP top AUXILIARY MAY description )
+olcObjectClasses: {9}( 1.3.6.1.4.1.7165.2.2.11 NAME 'sambaShare' DESC 'Samba S
+ hare Section' SUP top STRUCTURAL MUST sambaShareName MAY description )
+olcObjectClasses: {10}( 1.3.6.1.4.1.7165.2.2.12 NAME 'sambaConfigOption' DESC 
+ 'Samba Configuration Option' SUP top STRUCTURAL MUST sambaOptionName MAY ( sa
+ mbaBoolOption $ sambaIntegerOption $ sambaStringOption $ sambaStringListoptio
+ n $ description ) )
+olcObjectClasses: {11}( 1.3.6.1.4.1.7165.2.2.16 NAME 'sambaTrustedDomain' DESC
+  'Samba Trusted Domain Object' SUP top STRUCTURAL MUST cn MAY ( sambaTrustTyp
+ e $ sambaTrustAttributes $ sambaTrustDirection $ sambaTrustPartner $ sambaFla
+ tName $ sambaTrustAuthOutgoing $ sambaTrustAuthIncoming $ sambaSecurityIdenti
+ fier $ sambaTrustForestTrustInfo $ sambaTrustPosixOffset $ sambaSupportedEncr
+ yptionTypes) )	      
+
diff --git a/nomad-job/openldap/smbkrb5pwd.ldif b/nomad-job/openldap/smbkrb5pwd.ldif
new file mode 100644
index 0000000..2d4b6ea
--- /dev/null
+++ b/nomad-job/openldap/smbkrb5pwd.ldif
@@ -0,0 +1,15 @@
+dn: cn=module,cn=config
+changetype: add
+cn: module
+objectClass: olcModuleList
+olcModuleLoad: smbkrb5pwd
+# olcModuleLoad: smbkrb5pwd_srv
+
+dn: olcOverlay=smbkrb5pwd,olcDatabase={2}mdb,cn=config
+changetype: add
+objectClass: top
+objectClass: olcOverlayConfig
+objectClass: olcSmbKrb5PwdConfig
+olcOverlay: smbkrb5pwd
+olcSmbKrb5PwdEnable: samba
+
diff --git a/nomad-job/openldap/tree.ldif b/nomad-job/openldap/tree.ldif
new file mode 100644
index 0000000..30ae9a2
--- /dev/null
+++ b/nomad-job/openldap/tree.ldif
@@ -0,0 +1,368 @@
+version: 1
+
+dn: dc=ducamps,dc=eu
+objectClass: dcObject
+objectClass: organization
+dc: ducamps
+o: ducamps
+
+dn: ou=users,dc=ducamps,dc=eu
+objectClass: organizationalUnit
+ou: users
+
+dn: ou=groups,dc=ducamps,dc=eu
+objectClass: organizationalUnit
+ou: groups
+
+dn: cn=lastGID,dc=ducamps,dc=eu
+objectClass: device
+objectClass: top
+cn: lastGID
+description: Records the last GID used to create a Posix group. This prevent
+ s the re-use of a GID from a deleted group.
+serialNumber: 1000019
+
+dn: cn=lastUID,dc=ducamps,dc=eu
+objectClass: device
+objectClass: top
+cn: lastUID
+description: Records the last UID used to create a Posix account. This preve
+ nts the re-use of a UID from a deleted account.
+serialNumber: 1000006
+
+
+dn: uid=hubert,ou=users,dc=ducamps,dc=eu
+objectClass: extensibleObject
+objectClass: inetOrgPerson
+objectClass: organizationalPerson
+objectClass: person
+objectClass: posixAccount
+objectClass: shadowAccount
+objectClass: top
+cn: hubert
+gidNumber: 1000001
+homeDirectory: /home/hubert
+sn: hubert
+uid: hubert
+uidNumber: 1000003
+displayName: hubert
+loginShell: /bin/sh
+mail: hubertducamps@gmail.com
+shadowExpire: -1
+shadowFlag: 0
+shadowInactive: 0
+shadowLastChange: 19136
+shadowMax: 99999
+shadowMin: 0
+shadowWarning: 7
+
+dn: uid=olivier,ou=users,dc=ducamps,dc=eu
+objectClass: extensibleObject
+objectClass: inetOrgPerson
+objectClass: organizationalPerson
+objectClass: person
+objectClass: posixAccount
+objectClass: shadowAccount
+objectClass: top
+cn: olivier
+gidNumber: 1000001
+homeDirectory: /home/olivier
+sn: olivier
+uid: olivier
+uidNumber: 1000002
+displayName: olivier
+loginShell: /bin/sh
+mail: olivier@ducamps.eu
+shadowExpire: -1
+shadowFlag: 0
+shadowInactive: 0
+shadowLastChange: 18857
+shadowMax: 99999
+shadowMin: 0
+shadowWarning: 7
+
+dn: uid=vincent,ou=users,dc=ducamps,dc=eu
+objectClass: extensibleObject
+objectClass: inetOrgPerson
+objectClass: organizationalPerson
+objectClass: person
+objectClass: posixAccount
+objectClass: shadowAccount
+objectClass: top
+cn: vincent
+gidNumber: 1000001
+homeDirectory: /home/vincent
+sn: vincent
+uid: vincent
+uidNumber: 1000001
+displayName: vincent
+loginShell: /bin/zsh
+mail: vincent@ducamps.eu
+shadowExpire: -1
+shadowFlag: 0
+shadowInactive: 0
+shadowLastChange: 19213
+shadowMax: 99999
+shadowMin: 0
+shadowWarning: 7
+
+dn: uid=vaultServiceAccount,ou=users,dc=ducamps,dc=eu
+objectClass: extensibleObject
+objectClass: inetOrgPerson
+objectClass: organizationalPerson
+objectClass: person
+objectClass: posixAccount
+objectClass: shadowAccount
+objectClass: top
+cn: vaultServiceAccount
+gidNumber: 1000001
+homeDirectory: /home/vaultServiceAccount
+sn: vaultServiceAccount
+uid: vaultServiceAccount
+uidNumber: 1000005
+displayName: vaultServiceAccount
+loginShell: /bin/sh
+shadowExpire: -1
+shadowFlag: 0
+shadowInactive: 0
+shadowLastChange: 19213
+shadowMax: 99999
+shadowMin: 0
+shadowWarning: 7
+
+dn: uid=supysonicServiceAccount,ou=users,dc=ducamps,dc=eu
+objectClass: extensibleObject
+objectClass: inetOrgPerson
+objectClass: organizationalPerson
+objectClass: person
+objectClass: posixAccount
+objectClass: shadowAccount
+objectClass: top
+cn: supysonicServiceAccount
+gidNumber: 1000001
+homeDirectory: /home/supysonicServiceAccount
+sn: supysonicServiceAccount
+uid: supysonicServiceAccount
+uidNumber: 1000006
+displayName: supysonicServiceAccount
+loginShell: /bin/sh
+shadowExpire: -1
+shadowFlag: 0
+shadowInactive: 0
+shadowLastChange: 19437
+shadowMax: 99999
+shadowMin: 100000
+shadowWarning: 7
+
+dn: cn=na_a,ou=groups,dc=ducamps,dc=eu
+objectClass: extensibleObject
+objectClass: groupOfNames
+objectClass: posixGroup
+objectClass: top
+cn: na_a
+gidNumber: 1000011
+member: cn=Directory Consumers,ou=groups,dc=ducamps,dc=eu
+member: uid=vincent,ou=users,dc=ducamps,dc=eu
+displayName: na_a
+memberUid: vincent
+
+dn: cn=NAS_user,ou=groups,dc=ducamps,dc=eu
+objectClass: extensibleObject
+objectClass: groupOfNames
+objectClass: posixGroup
+objectClass: top
+cn: NAS_user
+gidNumber: 1000013
+member: uid=hubert,ou=users,dc=ducamps,dc=eu
+member: uid=loic,ou=users,dc=ducamps,dc=eu
+member: uid=olivier,ou=users,dc=ducamps,dc=eu
+member: uid=vincent,ou=users,dc=ducamps,dc=eu
+displayName: NAS_user
+memberUid: admin
+memberUid: hubert
+memberUid: loic
+memberUid: olivier
+memberUid: vincent
+
+dn: cn=NAS_ebook,ou=groups,dc=ducamps,dc=eu
+objectClass: extensibleObject
+objectClass: groupOfNames
+objectClass: posixGroup
+objectClass: top
+cn: NAS_ebook
+gidNumber: 1000006
+member: uid=vincent,ou=users,dc=ducamps,dc=eu
+description: group owner of ebook folder
+displayName: NAS_ebook
+memberUid: admin
+memberUid: vincent
+
+dn: cn=NAS_media,ou=groups,dc=ducamps,dc=eu
+objectClass: extensibleObject
+objectClass: groupOfNames
+objectClass: posixGroup
+objectClass: top
+cn: NAS_media
+gidNumber: 1000003
+member: uid=vincent,ou=users,dc=ducamps,dc=eu
+description: group owner of media folder
+displayName: media
+memberUid: admin
+memberUid: vincent
+
+dn: cn=NAS_music,ou=groups,dc=ducamps,dc=eu
+objectClass: extensibleObject
+objectClass: groupOfNames
+objectClass: posixGroup
+objectClass: top
+cn: NAS_music
+gidNumber: 1000005
+member: uid=vincent,ou=users,dc=ducamps,dc=eu
+description: group owner of Music folder
+displayName: NAS_music
+memberUid: admin
+memberUid: vincent
+
+dn: cn=NAS_photo,ou=groups,dc=ducamps,dc=eu
+objectClass: extensibleObject
+objectClass: groupOfNames
+objectClass: posixGroup
+objectClass: top
+cn: NAS_photo
+gidNumber: 1000004
+member: uid=hubert,ou=users,dc=ducamps,dc=eu
+member: uid=olivier,ou=users,dc=ducamps,dc=eu
+member: uid=vincent,ou=users,dc=ducamps,dc=eu
+description: group owner of photo folder
+displayName: photo
+memberUid: admin
+memberUid: hubert
+memberUid: olivier
+memberUid: vincent
+
+dn: cn=serverAdmin,ou=groups,dc=ducamps,dc=eu
+objectClass: extensibleObject
+objectClass: groupOfNames
+objectClass: posixGroup
+objectClass: top
+cn: serverAdmin
+gidNumber: 1000016
+member: uid=vincent,ou=users,dc=ducamps,dc=eu
+displayName: server_admin
+memberUid: vincent
+
+dn: cn=vault_admin,ou=groups,dc=ducamps,dc=eu
+objectClass: extensibleObject
+objectClass: groupOfNames
+objectClass: posixGroup
+objectClass: top
+cn: vault_admin
+gidNumber: 1000014
+member: uid=vincent,ou=users,dc=ducamps,dc=eu
+displayName: vaultaccess
+memberUid: vincent
+
+dn: cn=NAS_download,ou=groups,dc=ducamps,dc=eu
+objectClass: extensibleObject
+objectClass: groupOfNames
+objectClass: posixGroup
+objectClass: top
+cn: NAS_download
+gidNumber: 1000007
+member: uid=olivier,ou=users,dc=ducamps,dc=eu
+member: uid=vincent,ou=users,dc=ducamps,dc=eu
+description: group owner du dossier download
+displayName: NAS_download
+memberUid: olivier
+memberUid: vincent
+
+dn: cn=JellyfinUsers,ou=groups,dc=ducamps,dc=eu
+objectClass: extensibleObject
+objectClass: groupOfNames
+objectClass: posixGroup
+objectClass: top
+cn: JellyfinUsers
+gidNumber: 1000012
+member: uid=hubert,ou=users,dc=ducamps,dc=eu
+member: uid=loic,ou=users,dc=ducamps,dc=eu
+member: uid=olivier,ou=users,dc=ducamps,dc=eu
+member: uid=vincent,ou=users,dc=ducamps,dc=eu
+displayName: JellyfinUsers
+memberUid: admin
+memberUid: loic
+memberUid: olivier
+memberUid: vincent
+
+dn: cn=administrators,ou=groups,dc=ducamps,dc=eu
+objectClass: extensibleObject
+objectClass: groupOfNames
+objectClass: posixGroup
+objectClass: top
+cn: administrators
+gidNumber: 1000002
+member: uid=vincent,ou=users,dc=ducamps,dc=eu
+description: System default admin group
+displayName: administrators
+memberUid: vincent
+
+dn: cn=LDAP Operators,ou=groups,dc=ducamps,dc=eu
+objectClass: extensibleObject
+objectClass: groupOfNames
+objectClass: posixGroup
+objectClass: top
+cn: Directory Operators
+cn: LDAP Operators
+gidNumber: 1000000
+member: uid=vincent,ou=users,dc=ducamps,dc=eu
+description: Directory default admin group
+displayName: Directory Operators
+memberUid: vincent
+
+dn: cn=SupysonicUsers,ou=groups,dc=ducamps,dc=eu
+objectClass: extensibleObject
+objectClass: groupOfNames
+objectClass: posixGroup
+objectClass: top
+cn: SupysonicUsers
+gidNumber: 1000018
+member: uid=hubert,ou=users,dc=ducamps,dc=eu
+member: uid=olivier,ou=users,dc=ducamps,dc=eu
+member: uid=vincent,ou=users,dc=ducamps,dc=eu
+displayName: SupysonicUsers
+memberUid: hubert
+memberUid: olivier
+memberUid: vincent
+
+dn: cn=SupysonicAdmins,ou=groups,dc=ducamps,dc=eu
+objectClass: extensibleObject
+objectClass: groupOfNames
+objectClass: posixGroup
+objectClass: top
+cn: SupysonicAdmins
+gidNumber: 1000019
+member: uid=vincent,ou=users,dc=ducamps,dc=eu
+displayName: SupysonicAdmins
+memberUid: vincent
+
+dn: cn=workstationAdmin,ou=groups,dc=ducamps,dc=eu
+objectClass: extensibleObject
+objectClass: groupOfNames
+objectClass: posixGroup
+objectClass: top
+cn: workstationAdmin
+gidNumber: 1000017
+member: uid=vincent,ou=users,dc=ducamps,dc=eu
+displayName: workstation_admin
+memberUid: vincent
+
+dn: cn=JellyfinAdministrator,ou=groups,dc=ducamps,dc=eu
+objectClass: extensibleObject
+objectClass: groupOfNames
+objectClass: posixGroup
+objectClass: top
+cn: JellyfinAdministrator
+gidNumber: 1000015
+member: uid=vincent,ou=users,dc=ducamps,dc=eu
+displayName: JellyfinAdministrator
+memberUid: vincent
+
diff --git a/nomad-job/supysonic.nomad b/nomad-job/supysonic.nomad
index cbb7d08..bc0a1ac 100644
--- a/nomad-job/supysonic.nomad
+++ b/nomad-job/supysonic.nomad
@@ -105,10 +105,10 @@ http {
         SUPYSONIC_DAEMON_ENABLED   = "true"
         SUPYSONIC_WEBAPP_LOG_LEVEL = "DEBUG"
         SUPYSONIC_DAEMON_LOG_LEVEL = "INFO"
-        SUPYSONIC_LDAP_SERVER      = "LDAP://ldap.ducamps.eu"
-        SUPYSONIC_LDAP_BASE_DN     = "dc=ducamps,dc=win"
-        SUPYSONIC_LDAP_USER_FILTER = "(&(memberOf=CN=SupysonicUsers,cn=groups,dc=ducamps,dc=win))"
-        SUPYSONIC_LDAP_ADMIN_FILTER= "(&(memberOf=CN=SupysonicAdmins,cn=groups,dc=ducamps,dc=win))"
+        SUPYSONIC_LDAP_SERVER      = "LDAPS://ldaps.service.consul"
+        SUPYSONIC_LDAP_BASE_DN     = "dc=ducamps,dc=eu"
+        SUPYSONIC_LDAP_USER_FILTER = "(&(memberOf=cn=SupysonicUsers,ou=groups,dc=ducamps,dc=eu))"
+        SUPYSONIC_LDAP_ADMIN_FILTER= "(&(memberOf=cn=SupysonicAdmins,ou=groups,dc=ducamps,dc=eu))"
       }
 
       template {
diff --git a/terraform/dns/records.tf b/terraform/dns/records.tf
index 6a5bbed..458c15e 100644
--- a/terraform/dns/records.tf
+++ b/terraform/dns/records.tf
@@ -78,7 +78,7 @@ resource "hetznerdns_record" "rootalias" {
 resource "powerdns_record" "mail" {
   zone= powerdns_zone.ducampseu.name
   type= "MX"
-  name= "${powerdns_zone.ducampseu.name}"
+  name= powerdns_zone.ducampseu.name
   ttl= 1700
   records = ["10 ${var.localEndpoint}"]
 }
@@ -113,10 +113,3 @@ resource "powerdns_record" "diskstation" {
       ttl= 1700
       records = ["192.168.1.10"]
 }
-resource "powerdns_record" "ldap" {
-      zone= powerdns_zone.ducampseu.name
-      type= "A"
-      name= "ldap.${powerdns_zone.ducampseu.name}"
-      ttl= 1700
-      records = ["192.168.1.10"]
-}
diff --git a/terraform/dns/variable.tf b/terraform/dns/variable.tf
index 1cf25bd..181b0f6 100644
--- a/terraform/dns/variable.tf
+++ b/terraform/dns/variable.tf
@@ -34,7 +34,8 @@ variable cnameList{
     "vault",
     "vikunja",
     "www",
-    "mail"
+    "mail",
+    "ldap"
   ]
 }
 
diff --git a/terraform/vault/ldap.tf b/terraform/vault/ldap.tf
index 4931db5..b349341 100644
--- a/terraform/vault/ldap.tf
+++ b/terraform/vault/ldap.tf
@@ -1,12 +1,13 @@
 resource "vault_ldap_auth_backend" "ldap" {
     path        = "ldap"
-    url         = "ldap://ldap.ducamps.eu"
-    userdn      = "dc=ducamps,dc=win"
+    url         = "ldaps://ldaps.service.consul"
+    userdn      = "dc=ducamps,dc=eu"
     userattr    = "uid"
     discoverdn  = false
-    groupdn     = "cn=groups,dc=ducamps,dc=win"
+    insecure_tls = true
+    groupdn     = "ou=groups,dc=ducamps,dc=eu"
     groupfilter = "(|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}}))"
-    binddn      = "uid=vaultserviceaccount,cn=users,dc=ducamps,dc=win"
+    binddn      = "uid=vaultserviceaccount,ou=users,dc=ducamps,dc=eu"
     groupattr   = "cn"
     bindpass    = var.ldap_bindpass
 }
diff --git a/terraform/vault/nomad.tf b/terraform/vault/nomad.tf
index 871e6f2..ddd4732 100644
--- a/terraform/vault/nomad.tf
+++ b/terraform/vault/nomad.tf
@@ -24,7 +24,8 @@ locals {
     "alertmanager",
     "vault-backup",
     "pdns",
-    "torrent"
+    "torrent",
+    "ldap"
   ]
 
 }