diff --git a/roles/ldapauth/files/ldap.conf b/roles/ldapauth/files/ldap.conf
new file mode 100644
index 0000000..f2d7580
--- /dev/null
+++ b/roles/ldapauth/files/ldap.conf
@@ -0,0 +1,13 @@
+#
+# LDAP Defaults
+#
+
+# See ldap.conf(5) for details
+# This file should be world readable but not world writable.
+
+BASE    dc=lovelynet,dc=net
+URI     ldap://ipa.lovelynet.net
+
+#SIZELIMIT      12
+#TIMELIMIT      15
+#DEREF          never
diff --git a/roles/ldapauth/tasks/install.yml b/roles/ldapauth/tasks/install.yml
new file mode 100644
index 0000000..ed320d5
--- /dev/null
+++ b/roles/ldapauth/tasks/install.yml
@@ -0,0 +1,35 @@
+---
+- name: Openldap is installed and up to date (rhel)
+  ansible.builtin.yum:
+    name: "{{ item }}"
+    state: latest
+  loop:
+    - openldap
+    - openldap-clients
+    - nss-pam-ldapd
+  tags:
+    - setup
+  when: ansible_distribution == 'CentOS' or ansible_distribution == 'RedHat' or ansible_distribution == 'AlmaLinux'
+
+- name: Openldap is installed and up to date (debian)
+  ansible.builtin.apt:
+    name: "{{ item }}"
+    state: present
+    update_cache: true
+  loop:
+    - openldap
+    - nss-pam-ldapd
+  tags:
+    - setup
+  when: ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu'
+
+- name: Openldap is installed and up to date (arch)
+  community.general.pacman:
+    name: "{{ item }}"
+    state: present
+  loop:
+    - openldap
+    - nss-pam-ldapd
+  tags:
+    - setup
+  when: ansible_distribution == 'Archlinux'
diff --git a/roles/ldapauth/tasks/main.yml b/roles/ldapauth/tasks/main.yml
new file mode 100644
index 0000000..87954c3
--- /dev/null
+++ b/roles/ldapauth/tasks/main.yml
@@ -0,0 +1,28 @@
+---
+
+- name: Install openldap
+  ansible.builtin.include_tasks:
+    file: install.yml
+    apply:
+      tags:
+        - setup
+  tags:
+    - setup
+
+- name: Copy config file
+  ansible.builtin.include_tasks:
+    file: sync_conf.yml
+    apply:
+      tags:
+        - setup
+  tags:
+    - setup
+
+- name: Modify nsswitch conf
+  ansible.builtin.include_tasks:
+    file: update_nss.yml
+    apply:
+      tags:
+        - setup
+  tags:
+    - setup 
diff --git a/roles/ldapauth/tasks/sync_conf.yml b/roles/ldapauth/tasks/sync_conf.yml
new file mode 100644
index 0000000..1b48bbf
--- /dev/null
+++ b/roles/ldapauth/tasks/sync_conf.yml
@@ -0,0 +1,7 @@
+---
+- name: Copy over ldap conf
+  ansible.builtin.copy:
+    src: ldap.conf
+    dest: /etc/openldap/ldap.conf
+  tags:
+    - setup
diff --git a/roles/ldapauth/tasks/sync_conf.yml.bak b/roles/ldapauth/tasks/sync_conf.yml.bak
new file mode 100644
index 0000000..56d05eb
--- /dev/null
+++ b/roles/ldapauth/tasks/sync_conf.yml.bak
@@ -0,0 +1,7 @@
+---
+- name: fuck
+  ansible.builtin.file:
+    - src: ldap.conf
+    - dst: /etc/openldap/ldap.conf
+  tags:
+    - setup
diff --git a/roles/ldapauth/tasks/update_nss.yml b/roles/ldapauth/tasks/update_nss.yml
new file mode 100644
index 0000000..65c45ac
--- /dev/null
+++ b/roles/ldapauth/tasks/update_nss.yml
@@ -0,0 +1,12 @@
+---
+- name: Update NSSWITCH
+  ansible.builtin.shell:
+    cmd: grep '^{{ item }}.*ldap' /etc/nsswitch.conf && exit 0 || sed -i '/{{ item }}/ s/$/ ldap/' /etc/nsswitch.conf
+  register: nssdata
+  tags:
+    - setup
+  loop:
+    - passwd
+    - shadow
+    - group
+  changed_when: "nssdata.stdout_lines|length == 0"
diff --git a/run.yml b/run.yml
index 3bc669f..825192b 100644
--- a/run.yml
+++ b/run.yml
@@ -3,4 +3,5 @@
   roles:
     - update
     - sync
+    - ldapauth
     - benssanity