diff --git a/pottwal.yml b/pottwal.yml
index c6cc998..20ad29f 100644
--- a/pottwal.yml
+++ b/pottwal.yml
@@ -23,6 +23,10 @@
     hedgedoc_host_port: 8084
     hedgedoc_image: quay.io/hedgedoc/hedgedoc:1.9.3
 
+    openldap_image_version: 1.5.0
+    openldap_data: "{{ data_dir }}/openldap"
+    openldap_domain: "ldap.n39.eu"
+
   roles:
     - role: docker_setup
       vars:
@@ -261,4 +265,41 @@
         site_name: pad.n39.eu
         proxy_port: "{{ hedgedoc_host_port }}"
 
+    - name: Setup dehydrated challenge endpoint for {{ openldap_domain }}
+      include_role:
+        name: setup-http-dehydrated
+      vars:
+        site_name: "{{ openldap_domain }}"
+
+    - name: Ensure openLDAP directories are present.
+      file:
+        path: "{{ item }}"
+        state: directory
+      with_items:
+        - "{{ openldap_data }}/database"
+        - "{{ openldap_data }}/config"
+        - "{{ dehydrated_certs_dir }}/certs/{{ openldap_domain }}"
+
+    - name: Ensure container for openLDAP is running.
+      docker_container:
+        name: openLDAP
+        image: "osixia/openldap:{{ openldap_image_version }}"
+        pull: true
+        state: started
+        detach: yes
+        ports:
+          - "389:389" # unencrypted/STARTTLS
+          - "636:636" # SSL
+        volumes:
+          - "{{ openldap_data }}/database:/var/lib/ldap"
+          - "{{ openldap_data }}/config:/etc/ldap/slapd.d"
+          - "{{ dehydrated_certs_dir }}/certs/{{ openldap_domain }}:/container/service/slapd/assets/certs"
+        env:
+          LDAP_ORGANISATION: "Netz39 e.V."
+          LDAP_DOMAIN: "{{ openldap_domain }}"
+          LDAP_ADMIN_PASSWORD: "{{ ldap_admin_password }}"
+          LDAP_TLS_CRT_FILENAME: "cert.pem"
+          LDAP_TLS_KEY_FILENAME: "key.pem"
+        restart_policy: unless-stopped
+
   handlers: