diff --git a/ad-auth/files/sudo/admin b/ad-auth/files/sudo/admin
new file mode 100644
index 0000000000000000000000000000000000000000..56838a907ae44c9e0a36c8efdda54d8ed7e48a60
--- /dev/null
+++ b/ad-auth/files/sudo/admin
@@ -0,0 +1 @@
+%admin ALL=(ALL:ALL) ALL
diff --git a/ad-auth/tasks/main.yml b/ad-auth/tasks/main.yml
index 3d4abef8dc5e0e49ff07bca7d112aef75907f6ca..3ebf584b6baec5187ecbebd695bec402aaa5fc73 100644
--- a/ad-auth/tasks/main.yml
+++ b/ad-auth/tasks/main.yml
@@ -6,3 +6,4 @@ tasks:
   - include: nslcd.yml
   - include: nscd.yml
   - include: kerberos.yml
+  - include: sudo.yml
diff --git a/ad-auth/tasks/sudo.yml b/ad-auth/tasks/sudo.yml
new file mode 100644
index 0000000000000000000000000000000000000000..761d91b36a8f9a44d261b71a853a1804613f8f16
--- /dev/null
+++ b/ad-auth/tasks/sudo.yml
@@ -0,0 +1,10 @@
+---
+# file: roles/ad-auth/tasks/sudo.yml
+
+- name: ensure users of group admin are in the sudoers
+  copy: src=sudo/admin dest=/etc/sudoers.d/admin owner=root group=root mode=0440
+  tags: sudo config
+
+- name: check whole sudo config
+  command: visudo -q -c -f /etc/sudoers
+  tags: sudo test
diff --git a/ad-auth/templates/ldap.conf.j2 b/ad-auth/templates/ldap.conf.j2
index 4a815c5edd635d3d76443b5203c92d102ec0d9a0..3ac0530739ade88aaa796ce4924cb85e3f472fdc 100644
--- a/ad-auth/templates/ldap.conf.j2
+++ b/ad-auth/templates/ldap.conf.j2
@@ -1,4 +1,3 @@
-## TODO
 #
 # LDAP Defaults
 #
@@ -6,11 +5,11 @@
 # See ldap.conf(5) for details
 # This file should be world readable but not world writable.
 
-BASE	dc=fsmpi,dc=rwth-aachen,dc=de
-URI	ldaps://rumo.fsmpi.rwth-aachen.de
+BASE	{{ authbase }}
+URI	ldaps://{{ authserver }}
 
 #SIZELIMIT	12
 #TIMELIMIT	15
 #DEREF		never
 
-TLS_CACERT	/etc/ssl/certs/rwth_chain.pem
+TLS_CACERT	{{ authcacert }}
diff --git a/ad-auth/templates/nslcd.conf.j2 b/ad-auth/templates/nslcd.conf.j2
index de34bdc4103f9cc4f714426164178825e967cacf..5675aebabdcd8b71df552b1dee930ef3fe49bd3c 100644
--- a/ad-auth/templates/nslcd.conf.j2
+++ b/ad-auth/templates/nslcd.conf.j2
@@ -1,4 +1,3 @@
-## TODO
 # /etc/nslcd.conf
 # nslcd configuration file. See nslcd.conf(5)
 # for details.
@@ -8,10 +7,10 @@ uid nslcd
 gid nslcd
 
 # The location at which the LDAP server(s) should be reachable.
-uri ldaps://rumo.fsmpi.rwth-aachen.de/
+uri ldaps://{{ authserver }}
 
 # The search base that will be used for all queries.
-base dc=fsmpi,dc=rwth-aachen,dc=de
+base {{ authbase }}
 
 # The LDAP protocol version to use.
 #ldap_version 3
@@ -25,7 +24,7 @@ base dc=fsmpi,dc=rwth-aachen,dc=de
 
 # SSL options
 #ssl off
-tls_cacertfile /etc/ssl/certs/rwth_chain.pem
+tls_cacertfile {{ authcacert }}
 tls_reqcert demand
 
 # The search scope.