diff --git a/group_vars/all b/group_vars/all
index f02a1e7..3d64938 100644
--- a/group_vars/all
+++ b/group_vars/all
@@ -1,6 +1,6 @@
 ---
 
-ldap_ca: /etc/BKCA.crt
+ldap_ca: /etc/ldap/ssl/BKCA.crt
 ldap_uri: ldaps://ldap.binary.kitchen/
 ldap_host: ldap.binary.kitchen
 ldap_base: dc=binary-kitchen,dc=de
diff --git a/roles/common/tasks/Debian.yml b/roles/common/tasks/Debian.yml
index c160fe9..8d2ba3c 100644
--- a/roles/common/tasks/Debian.yml
+++ b/roles/common/tasks/Debian.yml
@@ -18,6 +18,7 @@
   with_items:
   - dnsutils
   - htop
+  - openssl
   - pydf
   - sudo
   - vim-nox
@@ -34,5 +35,8 @@
 - name: Set shell for root user
   user: name=root shell=/bin/zsh
 
+- name: Create LDAP certificate directory
+  file: path=/etc/ldap/ssl state=directory
+
 - name: Copy LDAP certificate
-  copy: src=BKCA.crt dest=/etc/BKCA.crt
+  copy: src=BKCA.crt dest=/etc/ldap/ssl/BKCA.crt mode=0444
diff --git a/roles/common/tasks/FreeBSD.yml b/roles/common/tasks/FreeBSD.yml
index 00e61f6..f21d60a 100644
--- a/roles/common/tasks/FreeBSD.yml
+++ b/roles/common/tasks/FreeBSD.yml
@@ -26,5 +26,8 @@
   - { src: '.zshrc.local', dest: '/root/.zshrc.local' }
   - { src: 'prompt_gentoo_setup', dest: '/usr/local/share/zsh/5.2/functions/Prompts/prompt_gentoo_setup' }
 
+- name: Create LDAP certificate directory
+  file: path=/etc/ldap/ssl state=directory
+
 - name: Copy LDAP certificate
-  copy: src=BKCA.crt dest=/etc/BKCA.crt
+  copy: src=BKCA.crt dest=/etc/ldap/ssl/BKCA.crt mode=0444
diff --git a/roles/ldap-server/files/schema/kitchen.schema b/roles/ldap-server/files/schema/kitchen.schema
index f70dae1..02bd189 100644
--- a/roles/ldap-server/files/schema/kitchen.schema
+++ b/roles/ldap-server/files/schema/kitchen.schema
@@ -6,12 +6,17 @@
 # attribute type definitions
 
 attributetype ( 23.42.1.1 NAME 'mailAlternateAddress'
-	DESC 'Secondary (alias) Aail Address'
-	SUP mail )
+	SUBSTR caseIgnoreSubstringsMatch
+	DESC 'Secondary (alias) mailaddresses for the same user'
+	EQUALITY caseIgnoreIA5Match
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
 
 attributetype ( 23.42.1.2 NAME 'rewMailAddress'
+	SUBSTR caseIgnoreSubstringsMatch
 	DESC 'Rewritten Mail Address'
-	SUP mail )
+	EQUALITY caseIgnoreIA5Match
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
+	SINGLE-VALUE )
 
 # object class definitions
 
@@ -19,5 +24,4 @@ objectclass ( 23.42.2.1 NAME 'kitchenUser'
 	DESC 'Binary Kitchen User'
 	SUP top AUXILIARY
 	MUST ( mail $ uid )
-	MAY ( mailAlternateAddress $ rewMailAddress )
-)
+	MAY ( mailAlternateAddress $ rewMailAddress ) )
diff --git a/roles/ldap-server/tasks/main.yml b/roles/ldap-server/tasks/main.yml
index f3b468b..0571726 100644
--- a/roles/ldap-server/tasks/main.yml
+++ b/roles/ldap-server/tasks/main.yml
@@ -26,6 +26,11 @@
   notify: Restart slapd
   tags: ldap
 
+- name: Ensure certificates are available
+  command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/ldap/ssl/ldapm.key -out /etc/ldap/ssl/ldapm.crt -days 730 -subj "/CN=ldapm.binary.kitchen" creates=/etc/ldap/ssl/ldapm.crt
+  notify: Restart slapd
+  tags: nginx
+
 - name: Start slapd
   service: name=slapd state=started enabled=yes
   tags: ldap
diff --git a/roles/ldap-server/templates/slapd.conf.j2 b/roles/ldap-server/templates/slapd.conf.j2
index cdeca8d..cc58bac 100644
--- a/roles/ldap-server/templates/slapd.conf.j2
+++ b/roles/ldap-server/templates/slapd.conf.j2
@@ -62,7 +62,7 @@ access to *
 TLSCertificateFile	/etc/ldap/ssl/ldapm.crt
 TLSCertificateKeyFile	/etc/ldap/ssl/ldapm.key
 TLSCACertificateFile	{{ ldap_ca }}
-TLSCipherSuite		TLSv1+RSA:!NULL
+TLSCipherSuite		NORMAL
 TLSVerifyClient		never