diff --git a/roles/karaage3.1.17/tasks/apacheDebian.yml b/roles/karaage3.1.17/tasks/apacheDebian.yml
index cd95414abe0ad1e95bbde4f5aab4f1c65d6b1505..44ffcdc4a675736cfdf50a9d0be0c1d5016cc565 100644
--- a/roles/karaage3.1.17/tasks/apacheDebian.yml
+++ b/roles/karaage3.1.17/tasks/apacheDebian.yml
@@ -7,14 +7,6 @@
   - apache2-dev
  sudo: true
 
-#-
-# name: "Setting default-ssl site"
-# lineinfile: dest=/etc/apache2/sites-available/default-ssl.conf  regexp="{{ item.regexp }}" line="{{ item.line }}" backrefs=yes
-# with_items:
-#  - { regexp : "^\\s+SSLCertificateFile", line : "		SSLCertificateFile {{ x509_cert_file }}" }
-#  - { regexp : "SSLCertificateChainFile", line : "      SSLCertificateChainFile {{ 
-#  - { regexp : "SSLCertificateKeyFile", line : "		SSLCertificateKeyFile {{ x509_key_file }}" }
-# sudo: true
 -
  name: "Templating default-ssl site"
  template: src=default-ssl.j2 dest=/etc/apache2/sites-available/default-ssl.conf owner=www-data group=www-data
diff --git a/roles/karaage3.1.17/tasks/apacheRedHat.yml b/roles/karaage3.1.17/tasks/apacheRedHat.yml
index 3515c7c200e7b4dd18045dcc478b2d61b535322b..584ed275655dbff3b919d20679e9c8ce3a56be03 100644
--- a/roles/karaage3.1.17/tasks/apacheRedHat.yml
+++ b/roles/karaage3.1.17/tasks/apacheRedHat.yml
@@ -14,14 +14,12 @@
  name: Setting httpd.conf
  sudo: true
  replace: dest=/etc/httpd/conf/httpd.conf regexp="^#ServerName www.example.com:80" replace="ServerName {{ ansible_fqdn }}"
+
 -
- name: Setting ssl.conf
+ name: "Templating default-ssl site"
+ template: src=default-ssl.j2 dest=/etc/httpd/conf.d/ssl.conf owner=apache group=apache
  sudo: true
- lineinfile: dest=/etc/httpd/conf.d/ssl.conf regexp="{{ item.regexp }}" line="{{ item.line }}" backrefs=yes
- with_items:
-  - { regexp : "^SSLCertificateFile", line : "SSLCertificateFile {{ x509_cert_file }}" }
-  - { regexp : "SSLCertificateKeyFile", line : "SSLCertificateKeyFile {{ x509_key_file }}" }
-  - { regexp : "SSLCACertificateFile", line : "SSLCACertificateFile {{ x509_cacert_file }}" }
+
 -
  name: Templating wsgi.conf
  sudo: true
diff --git a/roles/karaage3.1.17/tasks/karaage.yml b/roles/karaage3.1.17/tasks/karaage.yml
index 22ac31e6f18a4143fec2b212525c9ab9406c2296..e30a8fcd7072aa8a9a55bcb100caa6d7ebf70b43 100644
--- a/roles/karaage3.1.17/tasks/karaage.yml
+++ b/roles/karaage3.1.17/tasks/karaage.yml
@@ -64,7 +64,6 @@
  sudo: true
  with_items:
   - six
-  - MySQL-python
   - slimit
   - ply
   - cython
@@ -110,22 +109,6 @@
  sudo: true
  when: ansible_os_family == "RedHat"
 
-- name: "Configure karaage3-wsgi.conf"
-  template: src=karaage3-wsgi.conf.j2 dest=/etc/{% if ansible_os_family == 'RedHat'  %}httpd{% else %}apache2{% endif %}/conf-available/karaage3-wsgi.conf 
-  sudo: true
-
-     #-
-     # name: "Enable shibboleth, should it be in shibboleth-sp role?"
-     # lineinfile: insertafter="{{ item.after }}" line="{{ item.line }}" dest=/etc/{% if ansible_os_family == 'RedHat'  %}httpd{% else %}apache2{% endif %}/conf-available/karaage3-wsgi.conf state=present
-     # with_items:
-     #   - { after: 'EOF', line: '<Location /karaage>' } 
-     #   - { after: '^<Location /karaage>', line: 'AuthType Shibboleth' }
-     #   - { after: '^AuthType Shibboleth', line: 'ShibRequireSession On' }
-     #   - { after: '^ShibRequireSession On', line: 'ShibUseHeaders On' }
-     #   - { after: '^ShibUseHeaders On', line: 'require valid-user' }
-     #   - { after: '^require valid-user', line: '</Location>' }
-     # sudo: true
-
 -
  name: "Installing other packages Debian"
  apt: name={{ item }} update_cache=yes
@@ -218,3 +201,16 @@
  service: name=httpd state=reloaded
  sudo: true
  when: ansible_os_family == "RedHat"
+
+- 
+ name: "Enable shibboleth (ansible-galaxy install yaegashi.blockinfile)"
+ blockinfile:
+   dest: /etc/apache2/conf-available/karaage3-wsgi.conf
+   block: |
+     <Location /karaage>
+     AuthType Shibboleth
+     ShibRequireSession On
+     ShibUseHeaders On
+     require valid-user
+     </Location>
+
diff --git a/roles/karaage3.1.17/templates/default-ssl.j2 b/roles/karaage3.1.17/templates/default-ssl.j2
index 28ca021b6d024678bed1046f2b550e75669c8286..4e5e7e95f0d987a36902e6a401433fc38e7d3017 100644
--- a/roles/karaage3.1.17/templates/default-ssl.j2
+++ b/roles/karaage3.1.17/templates/default-ssl.j2
@@ -51,6 +51,7 @@
 	#   certificate chain for the server certificate. Alternatively
 	#   when the CA certificates are directly appended to the server
 	#   certificate for convinience.
+	SSLCertificateChainFile {{ x509_cert_chain }} 
 
 	#   Certificate Authority (CA):
 	#   Set the CA certificate verification path where to find CA
diff --git a/roles/ldapserver/tasks/main.yml b/roles/ldapserver/tasks/main.yml
index 702153d6b77329428989be9e87218e49d6d7ac41..e1b9420b33f3fc6a17b2c28850ee110753f923bf 100644
--- a/roles/ldapserver/tasks/main.yml
+++ b/roles/ldapserver/tasks/main.yml
@@ -78,12 +78,20 @@
   file: path={{ cacert | dirname }} state=directory owner={{ ldapuser }} group={{ ldapgroup }}
   sudo: true
 
-- name: make destination directories for certs 
-  file: path=/etc/ldap/certs state=directory mode=755 owner={{ ldapuser }} group={{ ldapgroup }}
+- name: make ldap certs dir
+  file: path={{ ldapCertDir }} state=directory owner={{ ldapuser }} group={{ ldapgroup }}
   sudo: true
+  when: ldapCertDir is defined
 
-- name: make destination directories for keys
-  file: path=/etc/ldap/private state=directory mode=700 owner={{ ldapuser }} group={{ ldapgroup }}
+- name: make ldap private dir
+  file: path={{ ldapPrivateDir }} state=directory owner={{ ldapuser }} group={{ ldapgroup }}
+  sudo: true
+  when: ldapPrivateDir is defined
+
+# Change to remove easy-rsa and to use fixed key and certs
+- name: copy fixed keys and certs from files directory
+  template: src=files/{{ item.src }} dest="{{ item.dest }}" mode={{ item.mode }} owner=root group=root
+  with_items: ldapCertFiles 
   sudo: true
   
 - name: copy cert
@@ -98,7 +106,6 @@
   copy: src="files/{{ ldap_TLSKey }}" dest="{{ ldapkey }}" mode=600 owner={{ ldapuser }} group={{ ldapgroup }}
   sudo: true
 
-
 - name: enable ssl centos
   lineinfile: regexp="SLAPD_LDAPS=no" state=present line="SLAPD_LDAPS=yes" dest=/etc/sysconfig/ldap
   sudo: true
diff --git a/roles/mysql/tasks/main.yml b/roles/mysql/tasks/main.yml
index bc39805e12f63115eb9d0d88fc9d19af77fbb8de..fd7181ba5206b53ab92a9a0802a239a2f0b0fde2 100644
--- a/roles/mysql/tasks/main.yml
+++ b/roles/mysql/tasks/main.yml
@@ -1,3 +1,3 @@
 ---
- - include: mysql_client.yml mysql_type=mysql_client
- - include: mysql_server.yml mysql_type=mysql_server
+- include_vars: "{{ ansible_distribution }}_{{ ansible_distribution_major_version }}.yml"
+- include: "{{ mysql_type }}.yml"
diff --git a/roles/mysql/tasks/mysql_server.yml b/roles/mysql/tasks/mysql_server.yml
index d863a8146f2a6b2138394c0e8016a3f113e535bf..95885ee2329c2e7c5da87686cd11d9521e1406e7 100644
--- a/roles/mysql/tasks/mysql_server.yml
+++ b/roles/mysql/tasks/mysql_server.yml
@@ -1,27 +1,29 @@
 ---
 - name: "Installing MySQL Debian"
   apt: name="{{ item }}" update_cache=yes cache_valid_time=3600 state=present
-  with_items:
-    - python
-    - python-dev
-    - libmysqlclient-dev
-    - python-pip
-    - libapache2-mod-wsgi
-    - python-mysql.connector
-    - mysql-server
-    - python-mysqldb
+  with_items: server_packages
   sudo: true
   when: ansible_os_family == "Debian"
 
+- name: "Remove rdo repo"
+  file: path=/etc/yum.repos.d/rdo-release.repo state=absent
+  sudo: true
+  when: ansible_os_family == "RedHat" and ansible_distribution_major_version >= 7
+
+- name: "Check RPM packages"
+  shell: ls /etc/yum.repos.d/mysql-community.repo
+  register: mysql_repo
+  ignore_errors: true
+  when: rpm_package is defined
+
+- name: "Add RPM packages"
+  shell: rpm -iUvh {{ rpm_package }} 
+  sudo: true
+  when: mysql_repo | failed
+
 - name: Installing MySQL RedHat
-  yum: name="{{ item }}" state=latest
-  with_items:
-    - python
-    - python-devel
-    - mysql-devel
-    - mysql-libs
-    - MySQL-python
-    - mysql-server
+  yum: name={{ item }}
+  with_items: server_packages
   sudo: true
   when: ansible_os_family == "RedHat"
 
@@ -36,7 +38,6 @@
   when: ansible_os_family == "RedHat" and ansible_distribution_major_version < 7
 
 - name: "Starting MySQL"
-#service: name=mariadb state=started enabled=true
   service: name=mysqld state=started enabled=true
   sudo: true
   when: ansible_os_family == "RedHat" and ansible_distribution_major_version >= 7
diff --git a/roles/mysql/vars/CentOS_6.yml b/roles/mysql/vars/CentOS_6.yml
new file mode 100644
index 0000000000000000000000000000000000000000..e3bbeaef6a54dfe6bdc1dfbf788974ffcfb73c28
--- /dev/null
+++ b/roles/mysql/vars/CentOS_6.yml
@@ -0,0 +1,9 @@
+server_packages:
+  - python
+  - python-devel
+  - mysql-devel
+  - mysql-libs
+  - MySQL-python
+  - mysql-server
+
+
diff --git a/roles/mysql/vars/CentOS_7.yml b/roles/mysql/vars/CentOS_7.yml
new file mode 100644
index 0000000000000000000000000000000000000000..524f128c51bfd90d07b7386d88836f78068a3db2
--- /dev/null
+++ b/roles/mysql/vars/CentOS_7.yml
@@ -0,0 +1,9 @@
+rpm_package: "http://dev.mysql.com/get/mysql-community-release-el7-5.noarch.rpm"
+
+server_packages:
+  - python
+  - python-devel
+  - MySQL-python
+  - mysql-community-server
+
+
diff --git a/roles/mysql/vars/Debian_7.yml b/roles/mysql/vars/Debian_7.yml
new file mode 100644
index 0000000000000000000000000000000000000000..eec16f6a706186a4ad21541298425f17191f9bc4
--- /dev/null
+++ b/roles/mysql/vars/Debian_7.yml
@@ -0,0 +1,10 @@
+server_packages:
+  - python
+  - python-dev
+  - libmysqlclient-dev
+  - python-pip
+  - libapache2-mod-wsgi
+  - python-mysql.connector
+  - mysql-server
+  - python-mysqldb
+
diff --git a/roles/mysql/vars/Debian_8.yml b/roles/mysql/vars/Debian_8.yml
new file mode 100644
index 0000000000000000000000000000000000000000..eec16f6a706186a4ad21541298425f17191f9bc4
--- /dev/null
+++ b/roles/mysql/vars/Debian_8.yml
@@ -0,0 +1,10 @@
+server_packages:
+  - python
+  - python-dev
+  - libmysqlclient-dev
+  - python-pip
+  - libapache2-mod-wsgi
+  - python-mysql.connector
+  - mysql-server
+  - python-mysqldb
+
diff --git a/roles/mysql/vars/main.yml b/roles/mysql/vars/main.yml
deleted file mode 100644
index 5ab6594867c30436d4a67277577cfc5cae58f643..0000000000000000000000000000000000000000
--- a/roles/mysql/vars/main.yml
+++ /dev/null
@@ -1,2 +0,0 @@
----
-mysql_config_file_name: mysql_config
diff --git a/roles/mysql/vars/readme.txt b/roles/mysql/vars/readme.txt
index ae0e02b275783367720722a8fb8399fe74461478..097faecb47318cb8565539b44c6a1975a5b6c7d7 100644
--- a/roles/mysql/vars/readme.txt
+++ b/roles/mysql/vars/readme.txt
@@ -6,4 +6,4 @@ mysql_user_name: "my_database"
 mysql_user_host: "localhost"
 mysql_root_password: "secret"
 mysql_user_password: "secret"
-
+mysql_config_file_name: mysql_config
diff --git a/roles/shibboleth-sp/templates/attribute-map.xml.j2 b/roles/shibboleth-sp/templates/attribute-map.xml.j2
index 6b8a8c85270e92ea601908afd94eb399d05d59e8..b25ca20e519c99ba45852d94c5d795bcc7669cab 100644
--- a/roles/shibboleth-sp/templates/attribute-map.xml.j2
+++ b/roles/shibboleth-sp/templates/attribute-map.xml.j2
@@ -149,5 +149,6 @@
     <Attribute name="urn:oid:2.5.4.15" id="businessCategory"/>
     <Attribute name="urn:oid:2.5.4.19" id="physicalDeliveryOfficeName"/>
     -->
-
+    <Attribute name="urn:mace:dir:attribute-def:auEduPersonSharedToken" id="auEduPersonSharedToken"/>
+    <Attribute name="urn:oid:1.3.6.1.4.1.27856.1.2.5" id="auEduPersonSharedToken"/>
 </Attributes>