diff --git a/roles/sssd/handlers/main.yml b/roles/sssd/handlers/main.yml
new file mode 100644
index 0000000..6c6f144
--- /dev/null
+++ b/roles/sssd/handlers/main.yml
@@ -0,0 +1,6 @@
+---
+
+- name: restart sssd
+  service:
+    name: sssd
+    state: restarted
diff --git a/roles/sssd/meta/main.yml b/roles/sssd/meta/main.yml
new file mode 100644
index 0000000..6cab9fe
--- /dev/null
+++ b/roles/sssd/meta/main.yml
@@ -0,0 +1,4 @@
+---
+dependencies:
+  - {role: kerberos/client}
+  - {role: ldap/client}
diff --git a/roles/sssd/tasks/main.yml b/roles/sssd/tasks/main.yml
new file mode 100644
index 0000000..5898141
--- /dev/null
+++ b/roles/sssd/tasks/main.yml
@@ -0,0 +1,20 @@
+---
+- name: install packages
+  package:
+    name: sssd
+    state: installed
+
+- name: create sssd config
+  template:
+    dest: /etc/sssd/sssd.conf
+    src: sssd.conf.j2
+    mode: 0600
+    owner: root
+    group: "{{ ansible_wheel }}"
+  notify: restart sssd
+
+- name: enable sssd service
+  service:
+    name: sssd
+    state: started
+    enabled: true
diff --git a/roles/sssd/templates/sssd.conf.j2 b/roles/sssd/templates/sssd.conf.j2
new file mode 100644
index 0000000..e011ad2
--- /dev/null
+++ b/roles/sssd/templates/sssd.conf.j2
@@ -0,0 +1,23 @@
+[sssd]
+config_file_version = 2
+services = nss, pam
+domains = {{ kerberos_realm }}
+
+[nss]
+
+[pam]
+
+[domain/{{ kerberos_realm }}]
+id_provider = ldap
+auth_provider = krb5
+chpass_provider = ldap
+ldap_uri = ldaps://{{ ldap_server[0] }}
+ldap_search_base = {{ ldap_basedn }}
+ldap_schema = rfc2307bis
+ldap_group_member = uniqueMember
+ldap_id_use_start_tls = False
+ldap_tls_reqcert = demand
+ldap_sasl_mech = EXTERNAL
+ldap_tls_cert = {{ tls_certs }}/{{ inventory_hostname }}.crt
+ldap_tls_key = {{ tls_private }}/{{ inventory_hostname }}.key
+krb5_realm = {{ kerberos_realm }}