diff --git a/group_vars/re2o_ldap.yml b/group_vars/re2o_ldap.yml
new file mode 100644
index 0000000000000000000000000000000000000000..f873e6f4320dc90ed86c4cc1b1c511b4c94f703e
--- /dev/null
+++ b/group_vars/re2o_ldap.yml
@@ -0,0 +1,7 @@
+---
+glob_re2o_ldap:
+  suffix: dc=crans,dc=org
+  url: "ldaps://{{ query('ldap', 'ip', 'yson-partou', 'adm') | ipv4 | first }}:636"
+  root_password_hash: "{{ vault.ldap_master_password_hash }}"
+  certificate: "{{ vault.ldap_re2o_certificate }}"
+  private_key: "{{ vault.ldap_re2o_private_key }}"
diff --git a/group_vars/re2o_ldap_replica.yml b/group_vars/re2o_ldap_replica.yml
deleted file mode 100644
index ae4b34c1663e78c4f730d46f287937dc1822c552..0000000000000000000000000000000000000000
--- a/group_vars/re2o_ldap_replica.yml
+++ /dev/null
@@ -1,10 +0,0 @@
----
-glob_re2o_ldap_replica:
-  replicator:
-    username: replicator
-    password: "{{ vault.ldap_replication_re2o_credentials }}"
-  suffix: dc=crans,dc=org
-  url: "ldaps://{{ query('ldap', 'ip', 'terenez', 'adm') | ipv4 | first }}:636"
-  root_password_hash: "{{ vault.ldap_master_password_hash }}"
-  certificate: "{{ vault.ldap_re2o_certificate }}"
-  private_key: "{{ vault.ldap_re2o_private_key }}"
diff --git a/hosts b/hosts
index b87feae27884d778d0a24f731e38f6408ed83dbd..af37685348f815a6f7f9025967ea007528262d50 100644
--- a/hosts
+++ b/hosts
@@ -193,7 +193,7 @@ radius
 [re2o_front]
 re2o.adm.crans.org
 
-[re2o_ldap_replica]
+[re2o_ldap]
 re2o-dev.adm.crans.org
 yson-partou.adm.crans.org
 
diff --git a/plays/re2o-ldap-replica.yml b/plays/re2o-ldap-replica.yml
deleted file mode 100755
index 1d1344a04e03ee97bf7ca2f404577122701eae8d..0000000000000000000000000000000000000000
--- a/plays/re2o-ldap-replica.yml
+++ /dev/null
@@ -1,7 +0,0 @@
-#!/usr/bin/env ansible-playbook
----
-- hosts: re2o_ldap_replica
-  vars:
-    re2o_ldap_replica: "{{ glob_re2o_ldap_replica | default({}) | combine(loc_re2o_ldap_replica | default({})) }}"
-  roles:
-    - re2o-ldap-replica
diff --git a/plays/re2o-ldap.yml b/plays/re2o-ldap.yml
new file mode 100755
index 0000000000000000000000000000000000000000..fcdd583e694a0311d1cf54c8179a7a8bcbe9810a
--- /dev/null
+++ b/plays/re2o-ldap.yml
@@ -0,0 +1,7 @@
+#!/usr/bin/env ansible-playbook
+---
+- hosts: re2o_ldap
+  vars:
+    re2o_ldap: "{{ glob_re2o_ldap | default({}) | combine(loc_re2o_ldap | default({})) }}"
+  roles:
+    - re2o-ldap
diff --git a/roles/re2o-ldap-replica/templates/ldap/certinfo.ldif.j2 b/roles/re2o-ldap-replica/templates/ldap/certinfo.ldif.j2
deleted file mode 100644
index 8571016c49550c556b8d95fee23c700736850eeb..0000000000000000000000000000000000000000
--- a/roles/re2o-ldap-replica/templates/ldap/certinfo.ldif.j2
+++ /dev/null
@@ -1,8 +0,0 @@
-{{ ansible_header | comment }}
-
-dn: cn=config
-add: olcTLSCertificateFile
-olcTLSCertificateFile: /etc/ldap/ldap.pem
--
-add: olcTLSCertificateKeyFile
-olcTLSCertificateKeyFile: /etc/ldap/ldap.key
diff --git a/roles/re2o-ldap-replica/templates/ldap/db.ldif.j2 b/roles/re2o-ldap-replica/templates/ldap/db.ldif.j2
deleted file mode 100644
index ca2f992f1ff0c6b74ffa6825f0b233877ed8b66c..0000000000000000000000000000000000000000
--- a/roles/re2o-ldap-replica/templates/ldap/db.ldif.j2
+++ /dev/null
@@ -1,188 +0,0 @@
-{{ ansible_header | comment }}
-
-# This file comes from the installation of Re2o
-# https://gitlab.federez.net/re2o/re2o/-/blob/master/install_utils/db.ldiff
-
-dn: {{ re2o_ldap_replica.suffix }}
-o: rezo
-structuralObjectClass: organization
-entryUUID: fc97a0fe-514b-1034-9e4d-59675b32507b
-creatorsName: cn=admin,{{ re2o_ldap_replica.suffix }}
-createTimestamp: 20150225150906Z
-description: ldap
-objectClass: top
-objectClass: dcObject
-objectClass: organization
-entryCSN: 20151003212702.245118Z#000000#000#000000
-modifiersName: cn=admin,{{ re2o_ldap_replica.suffix }}
-modifyTimestamp: 20151003212702Z
-contextCSN: 20161004233332.689769Z#000000#000#000000
-
-dn: cn=admin,{{ re2o_ldap_replica.suffix }}
-objectClass: simpleSecurityObject
-objectClass: organizationalRole
-cn: admin
-structuralObjectClass: organizationalRole
-entryUUID: fc97fa72-514b-1034-9e4e-59675b32507b
-creatorsName: cn=admin,{{ re2o_ldap_replica.suffix }}
-createTimestamp: 20150225150906Z
-description:: TERBUCBhZG1pbmlzdHJhdG9yDQo=
-userPassword: {{ re2o_ldap_replica.root_password_hash }}
-entryCSN: 20160604005945.576566Z#000000#000#000000
-modifiersName: cn=admin,{{ re2o_ldap_replica.suffix }}
-modifyTimestamp: 20160604005945Z
-
-dn: cn=Utilisateurs,{{ re2o_ldap_replica.suffix }}
-gidNumber: 500
-cn: Utilisateurs
-structuralObjectClass: posixGroup
-entryUUID: 5d53854e-5204-1034-8c61-8da535cabdfc
-creatorsName: cn=admin,{{ re2o_ldap_replica.suffix }}
-createTimestamp: 20150226130856Z
-sambaSID: 500
-uid: Users
-objectClass: posixGroup
-objectClass: top
-objectClass: sambaSamAccount
-objectClass: radiusprofile
-entryCSN: 20150226130950.194154Z#000000#000#000000
-modifiersName: cn=admin,{{ re2o_ldap_replica.suffix }}
-modifyTimestamp: 20150226130950Z
-
-dn: ou=groups,{{ re2o_ldap_replica.suffix }}
-objectClass: organizationalUnit
-description: Groupes d'utilisateurs
-ou: groups
-structuralObjectClass: organizationalUnit
-entryUUID: 986aa1b6-bb86-1035-9a4c-2ff0c800ec24
-creatorsName: cn=admin,{{ re2o_ldap_replica.suffix }}
-createTimestamp: 20160531142039Z
-entryCSN: 20160531142039.780151Z#000000#000#000000
-modifiersName: cn=admin,{{ re2o_ldap_replica.suffix }}
-modifyTimestamp: 20160531142039Z
-
-dn: ou=services,ou=groups,{{ re2o_ldap_replica.suffix }}
-objectClass: organizationalUnit
-description: Groupes de comptes techniques
-ou: services
-structuralObjectClass: organizationalUnit
-entryUUID: cbb56904-bc6a-1035-9fbb-3dc3850d88ba
-creatorsName: cn=admin,{{ re2o_ldap_replica.suffix }}
-createTimestamp: 20160601173411Z
-entryCSN: 20160601173411.088359Z#000000#000#000000
-modifiersName: cn=admin,{{ re2o_ldap_replica.suffix }}
-modifyTimestamp: 20160601173411Z
-
-dn: ou=service-users,{{ re2o_ldap_replica.suffix }}
-objectClass: organizationalUnit
-description: Utilisateurs techniques de l'annuaire
-ou: service-users
-structuralObjectClass: organizationalUnit
-entryUUID: 0e397270-bc6b-1035-9fbd-3dc3850d88ba
-creatorsName: cn=admin,{{ re2o_ldap_replica.suffix }}
-createTimestamp: 20160601173602Z
-entryCSN: 20160601173602.683304Z#000000#000#000000
-modifiersName: cn=admin,{{ re2o_ldap_replica.suffix }}
-modifyTimestamp: 20160601173602Z
-
-dn: cn=freeradius,ou=service-users,{{ re2o_ldap_replica.suffix }}
-objectClass: applicationProcess
-objectClass: simpleSecurityObject
-cn: freeradius
-userPassword: {{ re2o_ldap_replica.root_password_hash }}
-structuralObjectClass: applicationProcess
-entryUUID: 8596e4ec-bc6b-1035-9fbf-3dc3850d88ba
-creatorsName: cn=admin,{{ re2o_ldap_replica.suffix }}
-createTimestamp: 20160601173922Z
-entryCSN: 20160601173922.944598Z#000000#000#000000
-modifiersName: cn=admin,{{ re2o_ldap_replica.suffix }}
-modifyTimestamp: 20160601173922Z
-
-dn: cn=nssauth,ou=service-users,{{ re2o_ldap_replica.suffix }}
-objectClass: applicationProcess
-objectClass: simpleSecurityObject
-cn: nssauth
-structuralObjectClass: applicationProcess
-entryUUID: cfbdadc6-bc6b-1035-9fc4-3dc3850d88ba
-creatorsName: cn=admin,{{ re2o_ldap_replica.suffix }}
-createTimestamp: 20160601174127Z
-userPassword: {{ re2o_ldap_replica.root_password_hash }}
-entryCSN: 20160603093724.770069Z#000000#000#000000
-modifiersName: cn=admin,{{ re2o_ldap_replica.suffix }}
-modifyTimestamp: 20160603093724Z
-
-dn: cn=auth,ou=services,ou=groups,{{ re2o_ldap_replica.suffix }}
-objectClass: groupOfNames
-cn: auth
-member: cn=nssauth,ou=service-users,{{ re2o_ldap_replica.suffix }}
-structuralObjectClass: groupOfNames
-entryUUID: 98524836-bc6d-1035-9fc7-3dc3850d88ba
-creatorsName: cn=admin,{{ re2o_ldap_replica.suffix }}
-createTimestamp: 20160601175413Z
-entryCSN: 20160620005705.309928Z#000000#000#000000
-modifiersName: cn=admin,{{ re2o_ldap_replica.suffix }}
-modifyTimestamp: 20160620005705Z
-
-dn: ou=posix,ou=groups,{{ re2o_ldap_replica.suffix }}
-objectClass: organizationalUnit
-description: Groupes de comptes POSIX
-ou: posix
-structuralObjectClass: organizationalUnit
-entryUUID: fbd89c4a-bdb5-1035-9045-d5a09894d93e
-creatorsName: cn=admin,{{ re2o_ldap_replica.suffix }}
-createTimestamp: 20160603090455Z
-entryCSN: 20160603090455.267192Z#000000#000#000000
-modifiersName: cn=admin,{{ re2o_ldap_replica.suffix }}
-modifyTimestamp: 20160603090455Z
-
-dn: cn=wifi,ou=service-users,{{ re2o_ldap_replica.suffix }}
-objectClass: applicationProcess
-objectClass: simpleSecurityObject
-cn: wifi
-structuralObjectClass: applicationProcess
-entryUUID: 8cc2d1a6-bdc2-1035-9051-d5a09894d93e
-creatorsName: cn=admin,{{ re2o_ldap_replica.suffix }}
-createTimestamp: 20160603103452Z
-userPassword: {{ re2o_ldap_replica.root_password_hash }}
-entryCSN: 20160603103638.682210Z#000000#000#000000
-modifiersName: cn=admin,{{ re2o_ldap_replica.suffix }}
-modifyTimestamp: 20160603103638Z
-
-dn: cn=usermgmt,ou=services,ou=groups,{{ re2o_ldap_replica.suffix }}
-objectClass: groupOfNames
-cn: usermgmt
-structuralObjectClass: groupOfNames
-entryUUID: ec01e206-bdc2-1035-9054-d5a09894d93e
-creatorsName: cn=admin,{{ re2o_ldap_replica.suffix }}
-createTimestamp: 20160603103732Z
-member: cn=wifi,ou=service-users,{{ re2o_ldap_replica.suffix }}
-entryCSN: 20160603103746.897151Z#000000#000#000000
-modifiersName: cn=admin,{{ re2o_ldap_replica.suffix }}
-modifyTimestamp: 20160603103746Z
-
-dn: cn=replica,ou=service-users,{{ re2o_ldap_replica.suffix }}
-objectClass: applicationProcess
-objectClass: simpleSecurityObject
-cn: replica
-structuralObjectClass: applicationProcess
-entryUUID: caef5c54-c0e4-1035-948f-dfe369fe3d4f
-creatorsName: cn=admin,{{ re2o_ldap_replica.suffix }}
-createTimestamp: 20160607101733Z
-userPassword: {{ re2o_ldap_replica.root_password_hash }}
-entryCSN: 20160607101829.424643Z#000000#000#000000
-modifiersName: cn=admin,{{ re2o_ldap_replica.suffix }}
-modifyTimestamp: 20160607101829Z
-
-dn: cn=readonly,ou=services,ou=groups,{{ re2o_ldap_replica.suffix }}
-objectClass: groupOfNames
-cn: readonly
-structuralObjectClass: groupOfNames
-entryUUID: f6bd2366-c0e4-1035-9492-dfe369fe3d4f
-creatorsName: cn=admin,{{ re2o_ldap_replica.suffix }}
-createTimestamp: 20160607101846Z
-member: cn=replica,ou=service-users,{{ re2o_ldap_replica.suffix }}
-member: cn=freeradius,ou=service-users,{{ re2o_ldap_replica.suffix }}
-entryCSN: 20160619214628.287369Z#000000#000#000000
-modifiersName: cn=admin,{{ re2o_ldap_replica.suffix }}
-modifyTimestamp: 20160619214628Z
-
diff --git a/roles/re2o-ldap-replica/templates/ldap/ldap.key.j2 b/roles/re2o-ldap-replica/templates/ldap/ldap.key.j2
deleted file mode 100644
index 1dc6da0ca8f682be4727c0395fb680fad31cbc81..0000000000000000000000000000000000000000
--- a/roles/re2o-ldap-replica/templates/ldap/ldap.key.j2
+++ /dev/null
@@ -1 +0,0 @@
-{{ re2o_ldap_replica.private_key }}
diff --git a/roles/re2o-ldap-replica/templates/ldap/ldap.pem.j2 b/roles/re2o-ldap-replica/templates/ldap/ldap.pem.j2
deleted file mode 100644
index 71d67e1ab8360ed865a8ea1b3868930d25089a1d..0000000000000000000000000000000000000000
--- a/roles/re2o-ldap-replica/templates/ldap/ldap.pem.j2
+++ /dev/null
@@ -1 +0,0 @@
-{{ re2o_ldap_replica.certificate }}
diff --git a/roles/re2o-ldap-replica/handlers/main.yml b/roles/re2o-ldap/handlers/main.yml
similarity index 100%
rename from roles/re2o-ldap-replica/handlers/main.yml
rename to roles/re2o-ldap/handlers/main.yml
diff --git a/roles/re2o-ldap-replica/tasks/main.yml b/roles/re2o-ldap/tasks/main.yml
similarity index 87%
rename from roles/re2o-ldap-replica/tasks/main.yml
rename to roles/re2o-ldap/tasks/main.yml
index 0bcd4c8dbac29cf810ad499c9f07ff25416dfe8e..485cf7ffe87992f648f415d2ac116452cb494a9b 100644
--- a/roles/re2o-ldap-replica/tasks/main.yml
+++ b/roles/re2o-ldap/tasks/main.yml
@@ -58,8 +58,7 @@
   loop:
     - db
     - schema
-    - consumer_simple_sync
-    - certinfo
+    - replication
 
 - name: Initialize re2o-ldap schema
   when: not installation.stat.exists
@@ -78,8 +77,8 @@
     state: started
 
 - name: Enable data replication
-  when: not installation.stat.exists
-  shell: ldapadd -Q -Y EXTERNAL -H ldapi:/// -f /var/lib/slapd/consumer_simple_sync.ldif
+  when: not installation.stat.exists and re2o_ldap.replica is defined
+  shell: ldapadd -Q -Y EXTERNAL -H ldapi:/// -f /var/lib/slapd/replication.ldif
 
 # LDAPS configuration
 - name: Copy TLS certificate
@@ -93,17 +92,13 @@
     - ldap.pem
     - ldap.key
 
-- name: Load TLS certificates
-  when: not installation.stat.exists
-  shell: ldapmodify -Y EXTERNAL -H ldapi:/// -f /var/lib/slapd/certinfo.ldif
-
 - name: Enable LDAPS
   lineinfile:
     path: /etc/default/slapd
     regexp: '^SLAPD_SERVICES='
     line: 'SLAPD_SERVICES="ldap:/// ldaps:/// ldapi:///"'
   notify: Restart slapd
-  check_mode: false
+  when: not ansible_check_mode
 
 - name: Touch installation marker
   when: not installation.stat.exists
diff --git a/roles/re2o-ldap/templates/ldap/db.ldif.j2 b/roles/re2o-ldap/templates/ldap/db.ldif.j2
new file mode 100644
index 0000000000000000000000000000000000000000..0181c093c918888cba435733144a6696702f3049
--- /dev/null
+++ b/roles/re2o-ldap/templates/ldap/db.ldif.j2
@@ -0,0 +1,104 @@
+{{ ansible_header | comment }}
+
+# This file comes from the installation of Re2o
+# https://gitlab.federez.net/re2o/re2o/-/blob/master/install_utils/db.ldiff
+
+dn: {{ re2o_ldap.suffix }}
+o: rezo
+structuralObjectClass: organization
+description: ldap
+objectClass: top
+objectClass: dcObject
+objectClass: organization
+contextCSN: 20161004233332.689769Z#000000#000#000000
+
+dn: cn=admin,{{ re2o_ldap.suffix }}
+objectClass: simpleSecurityObject
+objectClass: organizationalRole
+cn: admin
+structuralObjectClass: organizationalRole
+description:: TERBUCBhZG1pbmlzdHJhdG9yDQo=
+userPassword: {{ re2o_ldap.root_password_hash }}
+
+dn: cn=Utilisateurs,{{ re2o_ldap.suffix }}
+gidNumber: 500
+cn: Utilisateurs
+structuralObjectClass: posixGroup
+sambaSID: 500
+uid: Users
+objectClass: posixGroup
+objectClass: top
+objectClass: sambaSamAccount
+objectClass: radiusprofile
+
+dn: ou=groups,{{ re2o_ldap.suffix }}
+objectClass: organizationalUnit
+description: Groupes d'utilisateurs
+ou: groups
+structuralObjectClass: organizationalUnit
+
+dn: ou=services,ou=groups,{{ re2o_ldap.suffix }}
+objectClass: organizationalUnit
+description: Groupes de comptes techniques
+ou: services
+structuralObjectClass: organizationalUnit
+
+dn: ou=service-users,{{ re2o_ldap.suffix }}
+objectClass: organizationalUnit
+description: Utilisateurs techniques de l'annuaire
+ou: service-users
+structuralObjectClass: organizationalUnit
+
+dn: cn=freeradius,ou=service-users,{{ re2o_ldap.suffix }}
+objectClass: applicationProcess
+objectClass: simpleSecurityObject
+cn: freeradius
+userPassword: {{ re2o_ldap.root_password_hash }}
+structuralObjectClass: applicationProcess
+
+dn: cn=nssauth,ou=service-users,{{ re2o_ldap.suffix }}
+objectClass: applicationProcess
+objectClass: simpleSecurityObject
+cn: nssauth
+structuralObjectClass: applicationProcess
+userPassword: {{ re2o_ldap.root_password_hash }}
+
+dn: cn=auth,ou=services,ou=groups,{{ re2o_ldap.suffix }}
+objectClass: groupOfNames
+cn: auth
+member: cn=nssauth,ou=service-users,{{ re2o_ldap.suffix }}
+structuralObjectClass: groupOfNames
+
+dn: ou=posix,ou=groups,{{ re2o_ldap.suffix }}
+objectClass: organizationalUnit
+description: Groupes de comptes POSIX
+ou: posix
+structuralObjectClass: organizationalUnit
+
+dn: cn=wifi,ou=service-users,{{ re2o_ldap.suffix }}
+objectClass: applicationProcess
+objectClass: simpleSecurityObject
+cn: wifi
+structuralObjectClass: applicationProcess
+userPassword: {{ re2o_ldap.root_password_hash }}
+
+dn: cn=usermgmt,ou=services,ou=groups,{{ re2o_ldap.suffix }}
+objectClass: groupOfNames
+cn: usermgmt
+structuralObjectClass: groupOfNames
+member: cn=wifi,ou=service-users,{{ re2o_ldap.suffix }}
+
+dn: cn=replica,ou=service-users,{{ re2o_ldap.suffix }}
+objectClass: applicationProcess
+objectClass: simpleSecurityObject
+cn: replica
+structuralObjectClass: applicationProcess
+userPassword: {{ re2o_ldap.root_password_hash }}
+
+dn: cn=readonly,ou=services,ou=groups,{{ re2o_ldap.suffix }}
+objectClass: groupOfNames
+cn: readonly
+structuralObjectClass: groupOfNames
+member: cn=replica,ou=service-users,{{ re2o_ldap.suffix }}
+member: cn=freeradius,ou=service-users,{{ re2o_ldap.suffix }}
+
diff --git a/roles/re2o-ldap/templates/ldap/ldap.key.j2 b/roles/re2o-ldap/templates/ldap/ldap.key.j2
new file mode 100644
index 0000000000000000000000000000000000000000..007496f0db3034a985a4a582c7e7775471cb2e94
--- /dev/null
+++ b/roles/re2o-ldap/templates/ldap/ldap.key.j2
@@ -0,0 +1 @@
+{{ re2o_ldap.private_key }}
diff --git a/roles/re2o-ldap/templates/ldap/ldap.pem.j2 b/roles/re2o-ldap/templates/ldap/ldap.pem.j2
new file mode 100644
index 0000000000000000000000000000000000000000..853d78b66c41355cb2ef4ea9d378c09e5666a148
--- /dev/null
+++ b/roles/re2o-ldap/templates/ldap/ldap.pem.j2
@@ -0,0 +1 @@
+{{ re2o_ldap.certificate }}
diff --git a/roles/re2o-ldap-replica/templates/ldap/consumer_simple_sync.ldif.j2 b/roles/re2o-ldap/templates/ldap/replication.ldif.j2
similarity index 53%
rename from roles/re2o-ldap-replica/templates/ldap/consumer_simple_sync.ldif.j2
rename to roles/re2o-ldap/templates/ldap/replication.ldif.j2
index f15a81dfcde86af2b4cce00ee9612bdaa96a642b..7b74785ccc8a55672f61b4b1296c8203402c4116 100644
--- a/roles/re2o-ldap-replica/templates/ldap/consumer_simple_sync.ldif.j2
+++ b/roles/re2o-ldap/templates/ldap/replication.ldif.j2
@@ -1,14 +1,15 @@
 {{ ansible_header | comment }}
 
+{% if re2o_ldap.replica is defined %}
 dn: olcDatabase={1}hdb,cn=config
 changetype: modify
 add: olcSyncrepl
 olcSyncrepl: rid=1
-        provider={{ re2o_ldap_replica.url }}
+        provider={{ re2o_ldap.url }}
         bindmethod=simple
-        binddn="cn={{ re2o_ldap_replica.replicator.username }},{{ re2o_ldap_replica.suffix }}"
-        credentials={{ re2o_ldap_replica.replicator.password }}
-        searchbase="{{ re2o_ldap_replica.suffix }}"
+        binddn="cn={{ re2o_ldap.replica.username }},{{ re2o_ldap.suffix }}"
+        credentials={{ re2o_ldap.replica.password }}
+        searchbase="{{ re2o_ldap.suffix }}"
         scope=sub
         schemachecking=on
         type=refreshAndPersist
@@ -18,4 +19,5 @@ olcSyncrepl: rid=1
         tls_reqcert=allow
 -
 add: olcUpdateRef
-olcUpdateRef: {{ re2o_ldap_replica.url }}
+olcUpdateRef: {{ re2o_ldap.url }}
+{% endif %}
diff --git a/roles/re2o-ldap-replica/templates/ldap/schema.ldif.j2 b/roles/re2o-ldap/templates/ldap/schema.ldif.j2
similarity index 92%
rename from roles/re2o-ldap-replica/templates/ldap/schema.ldif.j2
rename to roles/re2o-ldap/templates/ldap/schema.ldif.j2
index 564a2380019de15108f703b066c946d2e39593af..036ab3afd2ab27ec043e40096ecd34f1a5386011 100644
--- a/roles/re2o-ldap-replica/templates/ldap/schema.ldif.j2
+++ b/roles/re2o-ldap/templates/ldap/schema.ldif.j2
@@ -13,13 +13,9 @@ olcSaslHost: 127.0.0.1
 olcSaslSecProps: none
 olcToolThreads: 1
 structuralObjectClass: olcGlobal
-entryUUID: fc8ef918-514b-1034-9c2c-0faf5bc7ead5
-creatorsName: cn=config
-createTimestamp: 20150225150906Z
-entryCSN: 20150930214326.686146Z#000000#000#000000
-modifiersName: cn=admin,cn=config
-modifyTimestamp: 20150930214326Z
 contextCSN: 20160619215244.315124Z#000000#000#000000
+olcTLSCertificateFile: /etc/ldap/ldap.pem
+olcTLSCertificateKeyFile: /etc/ldap/ldap.key
 
 dn: cn=module{0},cn=config
 objectClass: olcModuleList
@@ -28,23 +24,11 @@ olcModulePath: /usr/lib/ldap
 olcModuleLoad: {0}back_hdb
 olcModuleLoad: {1}syncprov
 structuralObjectClass: olcModuleList
-entryUUID: fc8f8478-514b-1034-9c34-0faf5bc7ead5
-creatorsName: cn=admin,cn=config
-createTimestamp: 20150225150906Z
-entryCSN: 20150305013830.870926Z#000000#000#000000
-modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
-modifyTimestamp: 20150305013830Z
 
 dn: cn=schema,cn=config
 objectClass: olcSchemaConfig
 cn: schema
 structuralObjectClass: olcSchemaConfig
-entryUUID: fc8f0ef8-514b-1034-9c2f-0faf5bc7ead5
-creatorsName: cn=admin,cn=config
-createTimestamp: 20150225150906Z
-entryCSN: 20150225150906.558504Z#000000#000#000000
-modifiersName: cn=admin,cn=config
-modifyTimestamp: 20150225150906Z
 
 dn: cn={0}core,cn=schema,cn=config
 objectClass: olcSchemaConfig
@@ -286,12 +270,6 @@ olcObjectClasses: {25}( 1.3.6.1.4.1.1466.344 NAME 'dcObject' DESC 'RFC2247:
 olcObjectClasses: {26}( 1.3.6.1.1.3.1 NAME 'uidObject' DESC 'RFC2377: uid ob
  ject' SUP top AUXILIARY MUST uid )
 structuralObjectClass: olcSchemaConfig
-entryUUID: fc8f1d30-514b-1034-9c30-0faf5bc7ead5
-creatorsName: cn=admin,cn=config
-createTimestamp: 20150225150906Z
-entryCSN: 20150225150906.558865Z#000000#000#000000
-modifiersName: cn=admin,cn=config
-modifyTimestamp: 20150225150906Z
 
 dn: cn={1}cosine,cn=schema,cn=config
 objectClass: olcSchemaConfig
@@ -463,12 +441,6 @@ olcObjectClasses: {12}( 0.9.2342.19200300.100.4.22 NAME 'qualityLabelledData
  ' SUP top AUXILIARY MUST dsaQuality MAY ( subtreeMinimumQuality $ subtreeMa
  ximumQuality ) )
 structuralObjectClass: olcSchemaConfig
-entryUUID: fc8f49fe-514b-1034-9c31-0faf5bc7ead5
-creatorsName: cn=admin,cn=config
-createTimestamp: 20150225150906Z
-entryCSN: 20150225150906.560014Z#000000#000#000000
-modifiersName: cn=admin,cn=config
-modifyTimestamp: 20150225150906Z
 
 dn: cn={2}nis,cn=schema,cn=config
 objectClass: olcSchemaConfig
@@ -570,12 +542,6 @@ olcObjectClasses: {12}( 1.3.6.1.1.1.2.12 NAME 'bootableDevice' DESC 'A devic
  e with boot parameters' SUP top AUXILIARY MAY ( bootFile $ bootParameter ) 
  )
 structuralObjectClass: olcSchemaConfig
-entryUUID: fc8f6894-514b-1034-9c32-0faf5bc7ead5
-creatorsName: cn=admin,cn=config
-createTimestamp: 20150225150906Z
-entryCSN: 20150225150906.560798Z#000000#000#000000
-modifiersName: cn=admin,cn=config
-modifyTimestamp: 20150225150906Z
 
 dn: cn={3}inetorgperson,cn=schema,cn=config
 objectClass: olcSchemaConfig
@@ -618,12 +584,6 @@ olcObjectClasses: {0}( 2.16.840.1.113730.3.2.2 NAME 'inetOrgPerson' DESC 'RF
  r $ photo $ roomNumber $ secretary $ uid $ userCertificate $ x500uniqueIden
  tifier $ preferredLanguage $ userSMIMECertificate $ userPKCS12 ) )
 structuralObjectClass: olcSchemaConfig
-entryUUID: fc8f7bf4-514b-1034-9c33-0faf5bc7ead5
-creatorsName: cn=admin,cn=config
-createTimestamp: 20150225150906Z
-entryCSN: 20150225150906.561294Z#000000#000#000000
-modifiersName: cn=admin,cn=config
-modifyTimestamp: 20150225150906Z
 
 dn: cn={4}samba,cn=schema,cn=config
 objectClass: olcSchemaConfig
@@ -845,12 +805,6 @@ olcObjectClasses: {11}( 1.3.6.1.4.1.7165.2.2.16 NAME 'sambaTrustedDomain' DE
  mbaFlatName $ sambaTrustAuthOutgoing $ sambaTrustAuthIncoming $ sambaSecuri
  tyIdentifier $ sambaTrustForestTrustInfo ) )
 structuralObjectClass: olcSchemaConfig
-entryUUID: 677ff3fa-51fe-1034-95ae-1d2624d4874d
-creatorsName: cn=config
-createTimestamp: 20150226122616Z
-entryCSN: 20150226122616.391238Z#000000#000#000000
-modifiersName: cn=config
-modifyTimestamp: 20150226122616Z
 
 dn: cn={5}radius,cn=schema,cn=config
 objectClass: olcSchemaConfig
@@ -1046,23 +1000,11 @@ olcObjectClasses: {0}( 1.3.6.1.4.1.3317.4.3.2.1 NAME 'radiusprofile' DESC ''
  ateGroupId $ radiusTunnelServerEndpoint $ radiusTunnelType $ radiusUserCate
  gory $ radiusVSA $ radiusExpiration $ dialupAccess ) )
 structuralObjectClass: olcSchemaConfig
-entryUUID: 6cc08fcc-51ff-1034-9b54-ebb8a280e8d5
-creatorsName: cn=config
-createTimestamp: 20150226123334Z
-entryCSN: 20150911222512.172657Z#000000#000#000000
-modifiersName: cn=admin,cn=config
-modifyTimestamp: 20150911222512Z
 
 dn: olcBackend={0}hdb,cn=config
 objectClass: olcBackendConfig
 olcBackend: {0}hdb
 structuralObjectClass: olcBackendConfig
-entryUUID: fc8f9bf2-514b-1034-9c35-0faf5bc7ead5
-creatorsName: cn=admin,cn=config
-createTimestamp: 20150225150906Z
-entryCSN: 20150225150906.562113Z#000000#000#000000
-modifiersName: cn=admin,cn=config
-modifyTimestamp: 20150225150906Z
 
 dn: olcDatabase={-1}frontend,cn=config
 objectClass: olcDatabaseConfig
@@ -1074,12 +1016,6 @@ olcAccess: {1}to dn.exact="" by * read
 olcAccess: {2}to dn.base="cn=Subschema" by * read
 olcSizeLimit: 5000
 structuralObjectClass: olcDatabaseConfig
-entryUUID: fc8f0016-514b-1034-9c2d-0faf5bc7ead5
-creatorsName: cn=config
-createTimestamp: 20150225150906Z
-entryCSN: 20150225150906.558122Z#000000#000#000000
-modifiersName: cn=config
-modifyTimestamp: 20150225150906Z
 
 dn: olcDatabase={0}config,cn=config
 objectClass: olcDatabaseConfig
@@ -1087,63 +1023,66 @@ olcDatabase: {0}config
 olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=extern
  al,cn=auth manage by * break
 olcRootDN: cn=config
-olcRootPW: {{ re2o_ldap_replica.root_password_hash }}
+olcRootPW: {{ re2o_ldap.root_password_hash }}
 structuralObjectClass: olcDatabaseConfig
-entryUUID: fc8f0930-514b-1034-9c2e-0faf5bc7ead5
-creatorsName: cn=config
-createTimestamp: 20150225150906Z
-entryCSN: 20160604011429.596188Z#000000#000#000000
-modifiersName: cn=config
-modifyTimestamp: 20160604011429Z
 
 dn: olcOverlay={0}syncprov,olcDatabase={0}config,cn=config
 objectClass: olcOverlayConfig
 objectClass: olcSyncProvConfig
 olcOverlay: {0}syncprov
 structuralObjectClass: olcSyncProvConfig
-entryUUID: 78e96750-c0e5-1035-9495-dfe369fe3d4f
-creatorsName: cn=config
-createTimestamp: 20160607102224Z
-entryCSN: 20160607102224.927072Z#000000#000#000000
-modifiersName: cn=config
-modifyTimestamp: 20160607102224Z
 
 dn: olcDatabase={1}hdb,cn=config
 objectClass: olcDatabaseConfig
 objectClass: olcHdbConfig
 olcDatabase: {1}hdb
 olcDbDirectory: /var/lib/ldap
-olcSuffix: {{ re2o_ldap_replica.suffix }}
-olcAccess: {0}to attrs=userPassword,sambaNTPassword,mail by self write by an
- onymous auth by dn="cn=admin,{{ re2o_ldap_replica.suffix }}" write by group="cn
- =readonly,ou=services,ou=groups,{{ re2o_ldap_replica.suffix }}" read by group="
- cn=usermgmt,ou=services,ou=groups,{{ re2o_ldap_replica.suffix }}" write by * no
- ne
-olcAccess: {1}to attrs=shadowLastChange,gecos,loginShell by self write by an
- onymous auth by dn="cn=admin,{{ re2o_ldap_replica.suffix }}" write by group="cn
- =readonly,ou=services,ou=groups,{{ re2o_ldap_replica.suffix }}" read by group="
- cn=auth,ou=services,ou=groups,{{ re2o_ldap_replica.suffix }}" read by group="cn
- =usermgmt,ou=services,ou=groups,{{ re2o_ldap_replica.suffix }}" write by * none
-olcAccess: {2}to dn.base="" by * read
-olcAccess: {3}to dn.sub="ou=groups,{{ re2o_ldap_replica.suffix }}" by group="cn=
- auth,ou=services,ou=groups,{{ re2o_ldap_replica.suffix }}" read by group="cn=re
- adonly,ou=services,ou=groups,{{ re2o_ldap_replica.suffix }}" read
-olcAccess: {4}to dn.base="cn=Utilisateurs,{{ re2o_ldap_replica.suffix }}" by * read
-olcAccess: {5}to dn.sub="cn=Utilisateurs,{{ re2o_ldap_replica.suffix }}" by grou
- p="cn=auth,ou=services,ou=groups,{{ re2o_ldap_replica.suffix }}" read by self r
- ead by group="cn=readonly,ou=services,ou=groups,{{ re2o_ldap_replica.suffix }}"
-  read by group="cn=usermgmt,ou=services,ou=groups,dc=example,dc=or
- g" write
-olcAccess: {6}to dn.sub="ou=service-users,{{ re2o_ldap_replica.suffix }}" by gro
- up="cn=auth,ou=services,ou=groups,{{ re2o_ldap_replica.suffix }}" read by group
- ="cn=readonly,ou=services,ou=groups,{{ re2o_ldap_replica.suffix }}" read
-olcAccess: {7}to dn.base="{{ re2o_ldap_replica.suffix }}" by * read
-olcAccess: {8}to * by dn="cn=admin,{{ re2o_ldap_replica.suffix }}" write by self
-  read by group="cn=readonly,ou=services,ou=groups,dc=example,dc=or
- g" read
+olcSuffix: {{ re2o_ldap.suffix }}
+olcAccess: {0}to attrs=userPassword,sambaNTPassword,mail
+        by set="[cn=nounou,ou=posix,ou=groups,dc=crans,dc=org]/memberUid & user/uid" write
+        by self write
+        by anonymous auth
+        by dn="cn=admin,{{ re2o_ldap.suffix }}" write
+        by group="cn=readonly,ou=services,ou=groups,{{ re2o_ldap.suffix }}" read
+        by group="cn=usermgmt,ou=services,ou=groups,{{ re2o_ldap.suffix }}" write
+        by * none
+olcAccess: {1}to attrs=shadowLastChange,gecos,loginShell
+        by set="[cn=nounou,ou=posix,ou=groups,dc=crans,dc=org]/memberUid & user/uid" write
+        by self write
+        by anonymous auth
+        by dn="cn=admin,{{ re2o_ldap.suffix }}" write
+        by group="cn=readonly,ou=services,ou=groups,{{ re2o_ldap.suffix }}" read
+        by group="cn=auth,ou=services,ou=groups,{{ re2o_ldap.suffix }}" read
+        by group="cn=usermgmt,ou=services,ou=groups,{{ re2o_ldap.suffix }}" write
+        by * none
+olcAccess: {2}to dn.base=""
+        by * read
+olcAccess: {3}to dn.sub="ou=groups,{{ re2o_ldap.suffix }}"
+        by set="[cn=nounou,ou=posix,ou=groups,dc=crans,dc=org]/memberUid & user/uid" write
+        by group="cn=auth,ou=services,ou=groups,{{ re2o_ldap.suffix }}" read
+        by group="cn=readonly,ou=services,ou=groups,{{ re2o_ldap.suffix }}" read
+olcAccess: {4}to dn.base="cn=Utilisateurs,{{ re2o_ldap.suffix }}"
+        by * read
+olcAccess: {5}to dn.sub="cn=Utilisateurs,{{ re2o_ldap.suffix }}"
+        by group="cn=auth,ou=services,ou=groups,{{ re2o_ldap.suffix }}" read
+        by set="[cn=nounou,ou=posix,ou=groups,dc=crans,dc=org]/memberUid & user/uid" write
+        by self read
+        by group="cn=readonly,ou=services,ou=groups,{{ re2o_ldap.suffix }}" read
+        by group="cn=usermgmt,ou=services,ou=groups,{{ re2o_ldap.suffix }}" write
+olcAccess: {6}to dn.sub="ou=service-users,{{ re2o_ldap.suffix }}"
+        by set="[cn=nounou,ou=posix,ou=groups,dc=crans,dc=org]/memberUid & user/uid" write
+        by group="cn=auth,ou=services,ou=groups,{{ re2o_ldap.suffix }}" read
+        by group="cn=readonly,ou=services,ou=groups,{{ re2o_ldap.suffix }}" read
+olcAccess: {7}to dn.base="{{ re2o_ldap.suffix }}"
+        by * read
+olcAccess: {8}to *
+        by set="[cn=nounou,ou=posix,ou=groups,dc=crans,dc=org]/memberUid & user/uid" write
+        by dn="cn=admin,{{ re2o_ldap.suffix }}" write
+        by self read
+        by group="cn=readonly,ou=services,ou=groups,{{ re2o_ldap.suffix }}" read
 olcLastMod: TRUE
-olcRootDN: cn=admin,{{ re2o_ldap_replica.suffix }}
-olcRootPW: {{ re2o_ldap_replica.root_password_hash }}
+olcRootDN: cn=admin,{{ re2o_ldap.suffix }}
+olcRootPW: {{ re2o_ldap.root_password_hash }}
 olcDbCheckpoint: 512 30
 olcDbConfig: {0}set_cachesize 0 2097152 0
 olcDbConfig: {1}set_lk_max_objects 1500
@@ -1164,12 +1103,6 @@ olcDbIndex: entryUUID eq
 olcDbIndex: radiusCallingStationId eq
 olcSizeLimit: 50000
 structuralObjectClass: olcHdbConfig
-entryUUID: fc8fa138-514b-1034-9c36-0faf5bc7ead5
-creatorsName: cn=admin,cn=config
-createTimestamp: 20150225150906Z
-entryCSN: 20160619215244.315124Z#000000#000#000000
-modifiersName: cn=config
-modifyTimestamp: 20160619215244Z
 
 dn: olcOverlay={0}syncprov,olcDatabase={1}hdb,cn=config
 objectClass: olcOverlayConfig
@@ -1179,10 +1112,4 @@ olcSpCheckpoint: 100 10
 olcSpSessionlog: 100
 olcSpNoPresent: TRUE
 structuralObjectClass: olcSyncProvConfig
-entryUUID: 12c7a6f2-5724-1034-94b5-dd13061b01b4
-creatorsName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
-createTimestamp: 20150305013830Z
-entryCSN: 20160607103125.521039Z#000000#000#000000
-modifiersName: cn=config
-modifyTimestamp: 20160607103125Z