diff --git a/roles/karaage3.1.17/tasks/karaage.yml b/roles/karaage3.1.17/tasks/karaage.yml
index c9536a3e45ea2d0f5a60c266dbc5e110ffc1feaf..1142ced19b1fc72e522758b3d6da17e8517c7d5b 100644
--- a/roles/karaage3.1.17/tasks/karaage.yml
+++ b/roles/karaage3.1.17/tasks/karaage.yml
@@ -107,7 +107,8 @@
    - { after: '^AuthType Shibboleth', line: 'ShibRequireSession On' }
    - { after: '^ShibRequireSession On', line: 'ShibUseHeaders On' }
    - { after: '^ShibUseHeaders On', line: 'require valid-user' }
-   - { after: '^require valid-user', line: '</Location>' }
+   - { after: 'EOF', line: '</Location>' }
+#   - { after: '^require valid-user', line: '</Location>' }
  sudo: true
 
 -
diff --git a/roles/ldapserver/meta/main.yml b/roles/ldapserver/meta/main.yml
deleted file mode 100644
index 11e79807cceb222f4d145464d2f0db20a1aefec7..0000000000000000000000000000000000000000
--- a/roles/ldapserver/meta/main.yml
+++ /dev/null
@@ -1,3 +0,0 @@
----
-dependencies:
-    - { role: easy-rsa-certificate, x509_csr_args: "", x509_sign_args: "--server", x509_cacert_file: "/etc/ssl/certs/ca.crt", x509_key_file: "/etc/ssl/private/server.key", x509_cert_file: "/etc/ssl/certs/server.crt", x509_common_name: "{{ ansible_fqdn }}" }
diff --git a/roles/ldapserver/tasks/main.yml b/roles/ldapserver/tasks/main.yml
index 9aee134548f2e03c717b5fa6a991c6bb60f8e06d..582041c82664276f87e22f95ac0ae7552634c122 100644
--- a/roles/ldapserver/tasks/main.yml
+++ b/roles/ldapserver/tasks/main.yml
@@ -19,7 +19,6 @@
   sudo: true
   when: ansible_os_family == 'Debian'
 
-
 - name: hash password
   command: /usr/sbin/slappasswd -h {SSHA} -s {{ ldapManagerPassword }}
   register: ldapManagerHash
@@ -60,8 +59,8 @@
 - name: template acls.ldif
   template: src=acls_ldif.j2 dest=/tmp/acls.ldif
 
-- name: template ppolicy_moduleload.ldif
-  template: src=ppolicy_moduleload_ldif.j2 dest=/tmp/ppolicy_moduleload.ldif
+- name: template load_modules.ldif
+  template: src=load_modules_ldif.j2 dest=/tmp/load_modules.ldif
 
 - name: template ppolicy_overlay.ldif
   template: src=ppolicy_overlay_ldif.j2 dest=/tmp/ppolicy_overlay.ldif
@@ -84,6 +83,12 @@
   file: path={{ cacert | dirname }} state=directory owner={{ ldapuser }} group={{ ldapgroup }}
   sudo: true
 
+# Change to remove easy-rsa and to use fixed key and certs
+- name: copy fixed keys and certs from files directory
+  template: src=files/{{ item.src }} dest="{{ item.dest }}" mode={{ item.mode }} owner=root group=root
+  with_items: ldapCertFiles 
+  sudo: true
+  
 - name: copy cert
   command: cp /etc/ssl/certs/server.crt {{ ldapcert }}
   sudo: true
@@ -134,16 +139,6 @@
   register: aclConfigured
 
 
-- name: check DIT config
-  shell: "ldapsearch -D {{ ldapManager }} -w {{ ldapManagerPassword }} -b {{ ldapBase }} -x -H ldap://localhost objectClass=dcObject"
-  ignore_errors: true
-  register: ditConfigured
-
-- name: check Accounts config
-  shell: "ldapsearch -D {{ ldapManager }} -w {{ ldapManagerPassword }} -b {{ ldapUserBase }} -x -H ldap://localhost objectClass=*"
-  ignore_errors: true
-  register: accountsConfigured
-
 - name: check real Accounts config
   shell: "ldapsearch -D {{ ldapManager }} -w {{ ldapManagerPassword }} -b {{ ldapAccountBase }} -x -H ldap://localhost objectClass=*"
   ignore_errors: true
@@ -160,8 +155,7 @@
   ignore_errors: true
   register: binddnConfigured
 
--
-  name: Initialise cosine and ppolicy
+- name: Initialise cosine and ppolicy
   shell: ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/{{ item }}.ldif -D cn=config
   with_items:
    - ppolicy
@@ -177,46 +171,94 @@
   sudo: true
   when: tlsConfigured|failed
 
+- name: check DIT config
+  shell: "ldapsearch -D {{ ldapManager }} -w {{ ldapManagerPassword }} -b {{ ldapBase }} -x -H ldap://localhost objectClass=dcObject"
+  ignore_errors: true
+  register: ditConfigured
+
+- name: check Accounts config
+  shell: "ldapsearch -D {{ ldapManager }} -w {{ ldapManagerPassword }} -b {{ ldapUserBase }} -x -H ldap://localhost objectClass=*"
+  ignore_errors: true
+  register: accountsConfigured
+
 - name: initialise server manager
-  shell:  ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/manager.ldif -D cn=config 
+  shell:  ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/manager.ldif -D cn=config
   sudo: true
   when: managerConfigured|failed
+
 - name: initialise server manager
-  shell:  ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/manager2.ldif -D cn=config 
+  shell: ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/manager2.ldif -D cn=config 
   sudo: true
   ignore_errors: true
   when: managerConfigured|failed
 - name: initialise server manager
-  shell:  ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/manager3.ldif -D cn=config 
+  shell: ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/manager3.ldif -D cn=config 
   sudo: true
   when: managerConfigured|failed
 
 - name: initialise server acls
-  shell:  ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/acls.ldif -D cn=config
+  shell: ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/acls.ldif -D cn=config
   sudo: true
   when: aclConfigured|failed
 
 - name: add DIT root
   shell: ldapadd -x -D {{ ldapManager }} -w {{ ldapManagerPassword }} -x -H ldap://localhost -f /tmp/root.ldif
-  sudo: true
   when: ditConfigured|failed
 
 - name: add Accounts OU
   shell: ldapadd -x -D {{ ldapManager }} -w {{ ldapManagerPassword }} -x -H ldap://localhost -f /tmp/accounts.ldif
-  sudo: true
   when: accountsConfigured|failed
 
 - name: add real Accounts OU
   shell: ldapadd -x -D {{ ldapManager }} -w {{ ldapManagerPassword }} -x -H ldap://localhost -f /tmp/real_accounts.ldif
-  sudo: true
   when: realAccountsConfigured is defined and realAccountsConfigured|failed
 
 - name: add Groups OU
   shell: ldapadd -x -D {{ ldapManager }} -w {{ ldapManagerPassword }} -x -H ldap://localhost -f /tmp/groups.ldif
-  sudo: true
   when: groupsConfigured|failed
 
 - name: add binddn
   shell: ldapadd -x -D {{ ldapManager }} -w {{ ldapManagerPassword }} -x -H ldap://localhost -f /tmp/binddn.ldif
   sudo: true
   when: binddnConfigured|failed
+      
+- name: check ppolicy module loaded
+  shell: slapcat -b cn=config | grep "olcModuleLoad. {.*}ppolicy"
+  sudo: true
+  ignore_errors: true
+  register: ppolicyModuleLoaded
+
+- name: load ppolicy module
+  shell: ldapadd -Y EXTERNAL -H ldapi:/// -f /tmp/load_modules.ldif -D cn=config 
+  sudo: true
+  when: ppolicyModuleLoaded|failed
+
+- name: check ppolicy overlay config
+  shell: "slapcat -b cn=config | grep 'dn: olcOverlay=ppolicy,olcDatabase={.*}.db,cn=config'"
+  ignore_errors: true
+  sudo: true
+  register: ppolicyOverlayConfigured
+
+- name: add ppolicy overlay
+  shell: ldapadd -Y EXTERNAL -H ldapi:/// -f /tmp/ppolicy_overlay.ldif -D cn=config 
+  sudo: true
+  when: ppolicyOverlayConfigured|failed
+
+- name: check pwpolicies config
+  shell: ldapsearch -D cn=binddn,ou=Accounts,{{ ldapDomain }} -w {{ ldapBindDNPassword }} -b ou=pwpolicies,{{ ldapDomain }} objectClass=*
+  ignore_errors: true
+  register: pwpoliciesConfigured
+
+- name: add pwpolicies
+  shell: ldapadd -x -D cn=Manager,{{ ldapDomain }} -w {{ ldapManagerPassword }} -f /tmp/pwpolicies.ldif
+  when: pwpoliciesConfigured|failed
+
+- name: check defaultPwpolicy config
+  shell: ldapsearch -D cn=binddn,ou=Accounts,{{ ldapDomain }} -w {{ ldapBindDNPassword }} -b cn=default,ou=pwpolicies,{{ ldapDomain }} objectClass=*
+  ignore_errors: true
+  register: defaultPpolicyConfigured
+
+- name: add defaultPwpolicy
+  shell: ldapadd -x -D cn=Manager,{{ ldapDomain }} -w {{ ldapManagerPassword }} -f /tmp/default_ppolicy.ldif
+  when: defaultPpolicyConfigured|failed
+
diff --git a/roles/ldapserver/templates/ppolicy_moduleload_ldif.j2 b/roles/ldapserver/templates/load_modules_ldif.j2
similarity index 70%
rename from roles/ldapserver/templates/ppolicy_moduleload_ldif.j2
rename to roles/ldapserver/templates/load_modules_ldif.j2
index 084cc60366dc216b2c24ae1a3d5ef29cdf5e4957..fd643276f003704e547e7b5136f62440f13cef08 100644
--- a/roles/ldapserver/templates/ppolicy_moduleload_ldif.j2
+++ b/roles/ldapserver/templates/load_modules_ldif.j2
@@ -1,5 +1,5 @@
 dn: cn=module,cn=config
 objectClass: olcModuleList
 cn: module
-olcModulePath: /usr/lib64/openldap/
+olcModulePath: {{ module_path }} 
 olcModuleLoad: ppolicy.la
diff --git a/roles/ldapserver/vars/CentOS.yml b/roles/ldapserver/vars/CentOS.yml
index 38cf871d127b1287cf0811c4f34f4e4601717630..7159629c2947b81c5502b014b053e4a09c1b4970 100644
--- a/roles/ldapserver/vars/CentOS.yml
+++ b/roles/ldapserver/vars/CentOS.yml
@@ -2,3 +2,4 @@
   ldapcert: /etc/openldap/certs/ldapcert.pem
   ldapkey: /etc/openldap/certs/ldapkey.pem
   cacert: /etc/openldap/certs/cacert.pem
+  module_path: "/usr/lib64/openldap/"
diff --git a/roles/ldapserver/vars/Debian.yml b/roles/ldapserver/vars/Debian.yml
index 1ffc4bc610bd2b7ab855c8ea85e5deec04db977f..7732d830f30bc489eba194ce251fcf02157542dc 100644
--- a/roles/ldapserver/vars/Debian.yml
+++ b/roles/ldapserver/vars/Debian.yml
@@ -2,3 +2,4 @@
   ldapcert: /etc/ldap/certs/ldapcert.pem
   ldapkey: /etc/ldap/certs/ldapkey.pem
   cacert: /etc/ldap/certs/cacert.pem
+  module_path: "/usr/lib/ldap"
diff --git a/roles/shibboleth-sp/tasks/shibbolethConfig.yml b/roles/shibboleth-sp/tasks/shibbolethConfig.yml
index bc339ba568fc596b8a5f2840d65752c50af15642..9b12bff3167b250622bcc41f4126fca5a9c88b94 100644
--- a/roles/shibboleth-sp/tasks/shibbolethConfig.yml
+++ b/roles/shibboleth-sp/tasks/shibbolethConfig.yml
@@ -1,10 +1,9 @@
 ---
 -
  name: "Copying the shibboleth files"
- template: src=files/{{ item.src }} dest="/etc/shibboleth/{{ item.dest }}" mode=0644
- sudo: true
+ template: src=files/{{ item.src }} dest="{{ item.dest }}" mode=0644
  with_items: shibboleth_file
- when: shibboleth_file is defined
+ sudo: true
 
 - 
   name: "Setting shibboleth2.xml sp.example.org"
@@ -28,7 +27,7 @@
   args:
    dest: /etc/shibboleth/shibboleth2.xml 
    regexp: 'handlerSSL="false"' 
-   replace: 'handlerSSL="true"   handlerURL="https://{{ ansible_fqdn }}/Shibboleth.sso"' 
+   replace: 'handlerSSL="true"   handlerURL="https://{{ ansible_hostname }}.{{ domain }}/Shibboleth.sso"' 
    
 
 - 
@@ -101,7 +100,16 @@
   args:
    dest: /etc/shibboleth/shibboleth2.xml 
    regexp: '<CredentialResolver type="File" key="sp-key.pem" certificate="sp-cert.pem"/>' 
-   replace: '<CredentialResolver type="File" key="{{ x509_key_file }}" certificate="{{ x509_cert_file }}"/>'
+   replace: '<CredentialResolver type="File" key="{{ x509_key_file }}" certificate="{{ x509_cert_path }}/{{ x509_common_name }}.cert"/>'
+
+- 
+ name: "fix directory access permission"
+ file: path={{ x509_key_file | dirname }} owner=root group=_shibd state=directory mode=750
+ sudo: true
+- 
+ name: "fix key access permission"
+ file: path={{ x509_key_file }} owner=root group=_shibd mode=644
+ sudo: true
 
 -
  name: "Templating attribute-map.xml"