diff --git a/ldap/files/slapd.default b/ldap/files/slapd.default
new file mode 100644
index 0000000..2416fa8
--- /dev/null
+++ b/ldap/files/slapd.default
@@ -0,0 +1,45 @@
+# Default location of the slapd.conf file or slapd.d cn=config directory. If
+# empty, use the compiled-in default (/etc/ldap/slapd.d with a fallback to
+# /etc/ldap/slapd.conf).
+SLAPD_CONF="/etc/ldap/slapd.conf"
+
+# System account to run the slapd server under. If empty the server
+# will run as root.
+SLAPD_USER="openldap"
+
+# System group to run the slapd server under. If empty the server will
+# run in the primary group of its user.
+SLAPD_GROUP="openldap"
+
+# Path to the pid file of the slapd server. If not set the init.d script
+# will try to figure it out from $SLAPD_CONF (/etc/ldap/slapd.d by
+# default)
+SLAPD_PIDFILE=
+
+# slapd normally serves ldap only on all TCP-ports 389. slapd can also
+# service requests on TCP-port 636 (ldaps) and requests via unix
+# sockets.
+# Example usage:
+# SLAPD_SERVICES="ldap://127.0.0.1:389/ ldaps:/// ldapi:///"
+SLAPD_SERVICES="ldap:/// ldaps:/// ldapi:///"
+
+# If SLAPD_NO_START is set, the init script will not start or restart
+# slapd (but stop will still work).  Uncomment this if you are
+# starting slapd via some other means or if you don't want slapd normally
+# started at boot.
+#SLAPD_NO_START=1
+
+# If SLAPD_SENTINEL_FILE is set to path to a file and that file exists,
+# the init script will not start or restart slapd (but stop will still
+# work).  Use this for temporarily disabling startup of slapd (when doing
+# maintenance, for example, or through a configuration management system)
+# when you don't want to edit a configuration file.
+SLAPD_SENTINEL_FILE=/etc/ldap/noslapd
+
+# For Kerberos authentication (via SASL), slapd by default uses the system
+# keytab file (/etc/krb5.keytab).  To use a different keytab file,
+# uncomment this line and change the path.
+#export KRB5_KTNAME=/etc/krb5.keytab
+
+# Additional options to pass to slapd
+SLAPD_OPTIONS=""
diff --git a/ldap/manifests/init.pp b/ldap/manifests/init.pp
index e479bb2..e14c9fc 100644
--- a/ldap/manifests/init.pp
+++ b/ldap/manifests/init.pp
@@ -357,6 +357,14 @@ class ldap::server {
             $service_name = "slapd"
             $config = "/etc/ldap"
             $modulepath = "/usr/lib/ldap"
+            $rundir = "/var/run/slapd"
+            exec { "usermod-openldap":
+                path    => "/bin:/usr/bin:/sbin:/usr/sbin",
+                command => "usermod -a -G ssl-cert openldap",
+                unless  => "id -n -G openldap | grep '\\bssl-cert\\b'",
+                require => Package["openldap-server"],
+                before  => Service["slapd"],
+            }
         }
         "fedora": {
             $user = "ldap"
@@ -368,6 +376,7 @@ class ldap::server {
                 "x86_64" => "/usr/lib64/openldap",
                 default  => "/usr/lib/openldap",
             }
+            $rundir = "/var/run/openldap"
         }
         "centos","redhat": {
             $user = "ldap"
@@ -385,6 +394,7 @@ class ldap::server {
                 "x86_64" => "/usr/lib64/openldap",
                 default  => "/usr/lib/openldap",
             }
+            $rundir = "/var/run/openldap"
         }
         "openbsd": {
             $user = "_openldap"
@@ -393,6 +403,7 @@ class ldap::server {
             $service_name = "slapd"
             $config = "/etc/openldap"
             $modulepath = ""
+            $rundir = "/var/run/openldap"
         }
     }
 
@@ -446,15 +457,29 @@ class ldap::server {
         notify  => Exec["generate-slapd-database-config"],
     }
 
-    if $::operatingsystem in ["CentOS","RedHat"] and $operatinsystemrelease !~ /^5\./ {
-        file { "/etc/sysconfig/ldap":
-            ensure  => present,
-            source  => "puppet:///modules/ldap/ldap.sysconfig",
-            mode    => "0644",
-            owner   => "root",
-            group   => "root",
-            notify  => Service["slapd"],
-            require => Package["openldap-server"],
+    case $::operatingsystem {
+        "centos","redhat": {
+            if $::operatinsystemrelease !~ /^5\./ {
+                file { "/etc/sysconfig/ldap":
+                    ensure  => present,
+                    source  => "puppet:///modules/ldap/ldap.sysconfig",
+                    mode    => "0644",
+                    owner   => "root",
+                    group   => "root",
+                    notify  => Service["slapd"],
+                    require => Package["openldap-server"],
+                }
+            }
+        }
+        "debian","ubuntu": {
+            file { "/etc/default/slapd":
+                source  => "puppet:///modules/ldap/slapd.default",
+                mode    => "0644",
+                owner   => "root",
+                group   => "root",
+                notify  => Service["slapd"],
+                require => Package["openldap-server"],
+            }
         }
     }
 
diff --git a/ldap/templates/slapd.conf.erb b/ldap/templates/slapd.conf.erb
index 2519a6e..ac54d77 100644
--- a/ldap/templates/slapd.conf.erb
+++ b/ldap/templates/slapd.conf.erb
@@ -19,8 +19,8 @@ security simple_bind=128
 sizelimit size.soft=500
 sizelimit size.hard=none
 
-pidfile		/var/run/openldap/slapd.pid
-argsfile	/var/run/openldap/slapd.args
+pidfile		<%= scope.lookupvar('ldap::server::rundir') %>/slapd.pid
+argsfile	<%= scope.lookupvar('ldap::server::rundir') %>/slapd.args
 
 # overlay modules to load
 <% if scope.lookupvar('ldap::server::modulepath') != '' -%>