diff --git a/group_vars/ldap.yml b/group_vars/ldap.yml
new file mode 100644
index 0000000..d32ca1f
--- /dev/null
+++ b/group_vars/ldap.yml
@@ -0,0 +1,11 @@
+---
+
+datadisk_size:
+  - 10
+
+saslauthd_mech: ldap
+
+firewall_in:
+  - {proto: tcp, port: 22, from: [172.20.20.0/22]}
+  - {proto: tcp, port: 443, from: [172.20.20.0/22]}
+  - {proto: tcp, port: 636, from: [172.20.20.0/22]}
diff --git a/host_vars/ldap01.home.foo.sh.yml b/host_vars/ldap01.home.foo.sh.yml
new file mode 100644
index 0000000..e0aed5c
--- /dev/null
+++ b/host_vars/ldap01.home.foo.sh.yml
@@ -0,0 +1,5 @@
+---
+interfaces: [[20, "52:54:00:ac:dc:1f"]]
+vmhost: vmhost01.home.foo.sh
+
+ldap_master: true
diff --git a/hosts b/hosts
index 583d6a0..eacb816 100644
--- a/hosts
+++ b/hosts
@@ -7,12 +7,16 @@ git02.home.foo.sh
 [gw]
 gw01.home.foo.sh
 
+[ldap]
+ldap01.home.foo.sh
+
 [proxy]
 proxy01.home.foo.sh
 proxy02.home.foo.sh
 
 [centos7:children]
 git
+ldap
 mirror
 
 [openbsd:children]
diff --git a/playbooks/ldap.yml b/playbooks/ldap.yml
new file mode 100644
index 0000000..eb66aea
--- /dev/null
+++ b/playbooks/ldap.yml
@@ -0,0 +1,24 @@
+---
+- import_playbook: "include/vm-create.yml myhosts=ldap"
+
+- name: configure instance
+  hosts: ldap
+  user: root
+  gather_facts: true
+
+  pre_tasks:
+    - name: mount /export
+      mount:
+        name: /export
+        src: LABEL=/export
+        fstype: xfs
+        opts: noatime,noexec,nosuid,nodev
+        passno: 1
+        dump: 0
+        state: mounted
+
+  vars_files:
+    - /srv/ansible-private/vars.yml
+
+  roles:
+    - base