diff --git a/group_vars/sssd.yml b/group_vars/sssd.yml
new file mode 100644
index 0000000000000000000000000000000000000000..29b359f77c4fc113c828434c1c711ed8dca7558e
--- /dev/null
+++ b/group_vars/sssd.yml
@@ -0,0 +1,16 @@
+glob_sssd:
+  primary:
+    domain: tealc.adm.crans.org
+    servers:
+      - "{{ query('ldap','ip','tealc','adm') | ipv4 | first }}"
+      - "{{ query('ldap','ip','sam','adm') | ipv4 | first }}"
+      - "{{ query('ldap','ip','daniel','adm') | ipv4 | first }}"
+      - "{{ query('ldap','ip','jack','adm') | ipv4 | first }}"
+    base: "dc=crans,dc=org"
+  secondary:
+    domain: re2o-ldap.adm.crans.org
+    base: "dc=crans,dc=org"
+    bind:
+      dn: "cn=nslcd,ou=service-users,dc=crans,dc=org"
+      passwd: "{{ vault.ldap_nslcd_passwd }}"
+        
diff --git a/hosts b/hosts
index 28188710ebe03c6df75cd32fefe1a887d027e114..1feaeb11c6fceebff05a1c13deaf96a5b2621ffa 100644
--- a/hosts
+++ b/hosts
@@ -219,6 +219,9 @@ jack.adm.crans.org
 sputnik.adm.crans.org
 gulp.cachan-adm.crans.org
 
+[sssd]
+zamok-tmtc.adm.crans.org
+
 [thelounge]
 irc.adm.crans.org
 zamok.adm.crans.org
@@ -295,6 +298,8 @@ tracker.adm.crans.org
 vol447.adm.crans.org
 voyager.adm.crans.org
 yson-partou.adm.crans.org
+zamok-tmtc.adm.crans.org
+#unifi.adm.crans.org
 
 [crans_vm:children]
 routeurs_vm
diff --git a/roles/home-nounou/README.md b/roles/home-nounou/README.md
new file mode 100644
index 0000000000000000000000000000000000000000..80dddb956eb08de74fa5aa397e209975b88dc236
--- /dev/null
+++ b/roles/home-nounou/README.md
@@ -0,0 +1,8 @@
+# HOME-NOUNOUS
+
+Ce rôle permet d'exporter les homes vers les différents serveurs.
+
+## VARS
+
+home_nounous:
+  ip: l'ip du serveur nfs
diff --git a/roles/home-nounou/tasks/main.yml b/roles/home-nounou/tasks/main.yml
new file mode 100644
index 0000000000000000000000000000000000000000..1cbecea7a53b43fff7b3bf3166066b9238cf36e2
--- /dev/null
+++ b/roles/home-nounou/tasks/main.yml
@@ -0,0 +1,23 @@
+---
+- name: Install NFS client
+  apt:
+    update_cache: true
+    name:
+      - nfs-common
+    state: present
+  register: apt_result
+  retries: 3
+  until: apt_result is succeeded
+
+- name: Deploy nfs systemd mount
+  template:
+    src: systemd/system/home_nounou.mount.j2
+    dest: /etc/systemd/system/home_nounou.mount
+    mode: 0644
+
+- name: Load and activate nfs systemd mount
+  systemd:
+    name: home_nounou.mount
+    daemon_reload: true
+    enabled: true
+    state: started
diff --git a/roles/home-nounou/templates/systemd/system/home_nounou.mount.j2 b/roles/home-nounou/templates/systemd/system/home_nounou.mount.j2
new file mode 100644
index 0000000000000000000000000000000000000000..a6065ca3da2f390eb6446c9103bf5fac4c545bdf
--- /dev/null
+++ b/roles/home-nounou/templates/systemd/system/home_nounou.mount.j2
@@ -0,0 +1,14 @@
+{{ ansible_header | comment }}
+[Unit]
+Description=Mount home
+Wants=network-online.target
+After=network-online.target
+
+[Mount]
+What={{ home_nounous.ip }}:/pool/home
+Where=/home_nounou
+Type=nfs
+Options=rw,nosuid
+
+[Install]
+WantedBy=multi-user.target
diff --git a/roles/home-permanent/tasks/main.yml b/roles/home-permanent/tasks/main.yml
new file mode 100644
index 0000000000000000000000000000000000000000..b857e4b5a5ad348071c60695fa2604a3996bdcf8
--- /dev/null
+++ b/roles/home-permanent/tasks/main.yml
@@ -0,0 +1,23 @@
+---
+- name: Deploy nfs systemd mount
+  template:
+    src: systemd/system/{{ item }}.mount.j2
+    dest: /etc/systemd/system/{{ item }}.mount
+    mode: 0755
+  loop:
+    - home
+    - var-mail
+
+- name: Load and activate nfs home systemd mount
+  systemd:
+    name: home.mount
+    daemon_reload: true
+    enabled: true
+    state: started
+
+- name: Load and activate nfs mail systemd mount
+  systemd:
+    name: var-mail.mount
+    daemon_reload: true
+    enabled: true
+    state: started
diff --git a/roles/sssd/handlers/main.yml b/roles/sssd/handlers/main.yml
new file mode 100644
index 0000000000000000000000000000000000000000..1c219c2abc398f372bb9c061c146c07b051172bd
--- /dev/null
+++ b/roles/sssd/handlers/main.yml
@@ -0,0 +1,10 @@
+---
+- name: Restart nslcd service
+  service:
+    name: nslcd
+    state: restarted
+
+- name: Restart sssd service
+  service:
+    name: sssd
+    state: restarted
diff --git a/roles/sssd/tasks/main.yml b/roles/sssd/tasks/main.yml
new file mode 100644
index 0000000000000000000000000000000000000000..d9b244b72a92f2c784ad9c21d558377b8855889f
--- /dev/null
+++ b/roles/sssd/tasks/main.yml
@@ -0,0 +1,43 @@
+---
+- name: Install sssd and nslcd
+  apt:
+    update_cache: true
+    name:
+      - sssd
+      - libnss-ldapd
+      - libpam-ldapd
+    state: present
+  register: apt_result
+  retries: 3
+  until: apt_result is succeeded
+
+- name: Configure sssd
+  template:
+    src: sssd/sssd.conf.j2
+    dest: /etc/sssd/sssd.conf
+    mode: 0600
+  notify: Restart sssd service
+
+- name: Configure nslcd for hosts
+  template:
+    src: nslcd.conf.j2
+    dest: /etc/nslcd.conf
+    mode: 0600
+  notify: Restart nslcd service
+
+- name: Configure NSS to use sss
+  lineinfile:
+    dest: /etc/nsswitch.conf
+    regexp: "^{{ item.name }}:"
+    line: "{{ item.name }}:		{{ item.db }}"
+  loop:
+    - {name: passwd, db: files systemd sss}
+    - {name: group, db: files systemd sss}
+    - {name: shadow, db: files sss}
+    - {name: networks, db: files ldap}
+    - {name: hosts, db: files ldap dns}
+
+- name: Configure PAM authentication
+  template:
+    src: pam.d/common-password.j2
+    dest: /etc/pam.d/common-password
diff --git a/roles/sssd/templates/nslcd.conf.j2 b/roles/sssd/templates/nslcd.conf.j2
new file mode 100644
index 0000000000000000000000000000000000000000..2360eadc0d65a6ddc61eb85c79084922b5c2220e
--- /dev/null
+++ b/roles/sssd/templates/nslcd.conf.j2
@@ -0,0 +1,34 @@
+{{ ansible_header | comment }}
+# /etc/nslcd.conf
+# nslcd configuration file. See nslcd.conf(5)
+# for details.
+
+# The user and group nslcd should run as.
+uid nslcd
+gid nslcd
+
+# The location at which the LDAP server(s) should be reachable.
+{% for server in sssd.primary.servers %}
+uri ldaps://{{ server }}/
+{% endfor %}
+
+# The search base that will be used for all queries.
+base {{ sssd.primary.base }}
+
+# The LDAP protocol version to use.
+#ldap_version 3
+
+# The DN to bind with for normal lookups.
+#binddn cn=annonymous,dc=example,dc=net
+#bindpw secret
+
+# The DN used for password modifications by root.
+#rootpwmoddn cn=admin,dc=example,dc=com
+
+# SSL options
+#ssl off
+tls_reqcert allow
+tls_cacertfile /etc/ssl/certs/ca-certificates.crt
+
+# The search scope.
+#scope sub
diff --git a/roles/sssd/templates/pam.d/common-password.j2 b/roles/sssd/templates/pam.d/common-password.j2
new file mode 100644
index 0000000000000000000000000000000000000000..34be825e17c6b4aaa935af80fe086d6c27938b12
--- /dev/null
+++ b/roles/sssd/templates/pam.d/common-password.j2
@@ -0,0 +1,37 @@
+{{ ansible_header | comment }}
+#
+# /etc/pam.d/common-password - password-related modules common to all services
+#
+# This file is included from other service-specific PAM config files,
+# and should contain a list of modules that define the services to be
+# used to change user passwords.  The default is pam_unix.
+
+# Explanation of pam_unix options:
+#
+# The "sha512" option enables salted SHA512 passwords.  Without this option,
+# the default is Unix crypt.  Prior releases used the option "md5".
+#
+# The "obscure" option replaces the old `OBSCURE_CHECKS_ENAB' option in
+# login.defs.
+#
+# See the pam_unix manpage for other options.
+
+# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
+# To take advantage of this, it is recommended that you configure any
+# local modules either before or after the default block, and use
+# pam-auth-update to manage selection of other modules.  See
+# pam-auth-update(8) for details.
+
+# here are the per-package modules (the "Primary" block)
+password        requisite                       pam_pwquality.so retry=3
+password        [success=3 default=ignore]      pam_unix.so obscure use_authtok try_first_pass sha512
+password        sufficient                      pam_sss.so use_authtok
+password        [success=1 default=ignore]      pam_ldap.so minimum_uid=1000 try_first_pass
+# here's the fallback if no module succeeds
+password        requisite                       pam_deny.so
+# prime the stack with a positive return value if there isn't one already;
+# this avoids us returning an error just because nothing sets a success code
+# since the modules above will each just jump around
+password        required                        pam_permit.so
+# and here are more per-package modules (the "Additional" block)
+# end of pam-auth-update config
diff --git a/roles/sssd/templates/sssd/sssd.conf.j2 b/roles/sssd/templates/sssd/sssd.conf.j2
new file mode 100644
index 0000000000000000000000000000000000000000..e5f445a09cf94b5a8ada31cee1a159cdf843f6ba
--- /dev/null
+++ b/roles/sssd/templates/sssd/sssd.conf.j2
@@ -0,0 +1,31 @@
+{{ ansible_header | comment }}
+[sssd]
+config_file_version = 2
+services = nss, pam
+domains = {{ sssd.primary.domain }}, {{ sssd.secondary.domain }}
+
+[domain/{{ sssd.primary.domain }}]
+ldap_access_filter = (objectClass=posixAccount)
+enumerate = true
+id_provider = ldap
+auth_provider = ldap
+ldap_uri = ldaps://{{ sssd.primary.domain }}
+ldap_search_base = {{ sssd.primary.base }}
+{% if sssd.primary.bind is defined -%}
+ldap_default_bind_dn = {{ sssd.primary.bind.dn }}
+ldap_default_authtok = {{ sssd.primary.bind.passwd }}
+{% endif %}
+ldap_tls_reqcert = allow
+
+[domain/{{ sssd.secondary.domain }}]
+ldap_access_filter = (objectClass=posixAccount)
+enumerate = true
+id_provider = ldap
+auth_provider = ldap
+ldap_uri = ldaps://{{ sssd.secondary.domain }}
+ldap_search_base = {{ sssd.secondary.base }}
+{% if sssd.secondary.bind is defined -%}
+ldap_default_bind_dn = {{ sssd.secondary.bind.dn }}
+ldap_default_authtok = {{ sssd.secondary.bind.passwd }}
+{% endif %}
+ldap_tls_reqcert = allow
diff --git a/roles/sudo/templates/sudoers.d/group_privilege.j2 b/roles/sudo/templates/sudoers.d/group_privilege.j2
index 2b7e31fd472c45b3110a460dafba074198e2f222..25902df57356615db420bcda8e4c7605a7d5bc38 100644
--- a/roles/sudo/templates/sudoers.d/group_privilege.j2
+++ b/roles/sudo/templates/sudoers.d/group_privilege.j2
@@ -1,3 +1,3 @@
 {{ ansible_header | comment }}
 # Group privilege specification
-NOUNOUS    ALL=(ALL:ALL) ALL
+%_nounou    ALL=(ALL:ALL) ALL