diff --git a/dicos/99_one-frontend.xml b/dicos/99_one-frontend.xml
index ce6cdbf..afd5021 100644
--- a/dicos/99_one-frontend.xml
+++ b/dicos/99_one-frontend.xml
@@ -3,6 +3,7 @@
     <files>
         <service type='service'>opennebula-sunstone</service>
         <file filelist='onefrontend' name='/etc/one/sunstone-server.conf' rm='True' mkdir='True'/>
+        <file filelist='onefrontend' name='/etc/one/auth/ldap_auth.conf' source='sunstone-ldap_auth.conf' rm='True' mkdir='True'/>
         <service_access service='sunstone'>
             <port port_type="SymLinkOption">port_sunstone</port>
             <port port_type="SymLinkOption">vnc_proxy_port_sunstone</port>
@@ -26,9 +27,7 @@
             <variable name='langue_sunstone' type='string' description="Langue par défaut de l'interface" mode='expert'>
                 <value>fr_FR</value>
             </variable>
-            <variable name='sunstone_auth' type='string' description="Mode d'authentification des utilisateurs" mode='expert'>
-                <value>sunstone</value>
-            </variable>
+            <variable name='sunstone_auth_modes' type='string' description="Modes supplémentaires d'authentification des utilisateurs" mode='expert' multi='True' />
         </family>
     </variables>
 
@@ -36,6 +35,9 @@
         <fill name='calc_val' target='ip_sunstone'>
             <param type='eole' name='valeur'>adresse_ip_eth0</param>
         </fill>
+        <check name='valid_enum' target='sunstone_auth_modes'>
+            <param>['ldap']</param>
+        </check>
         <condition name='disabled_if_in' source='activer_onefrontend'>
             <param>non</param>
             <!--target type='filelist'>onefrontend</target-->
diff --git a/tmpl/sunstone-ldap_auth.conf b/tmpl/sunstone-ldap_auth.conf
new file mode 100644
index 0000000..9929e54
--- /dev/null
+++ b/tmpl/sunstone-ldap_auth.conf
@@ -0,0 +1,36 @@
+%if 'ldap' in %%getVar('sunstone_auth_modes')
+server 1:
+    # Ldap user able to query, if not set connects as anonymous. For
+    # Active Directory append the domain name. Example:
+    # Administrator@my.domain.com
+    #:user: 'admin'
+    #:password: 'password'
+
+    # Ldap authentication method
+
+    # Ldap server
+    :host: %%adresse_ip_ldap
+%if %%getVar('ldap_tls', 'non') == 'oui'
+    :auth_method: :simple_tls
+    :port: 636
+%else
+    :auth_method: :simple
+    :port: 389
+%end if
+
+    # base hierarchy where to search for users and groups
+    :base: %%ldap_base_dn
+
+    # group the users need to belong to. If not set any user will do
+    #:group: 'cn=cloud,ou=groups,dc=domain'
+
+    # field that holds the user name, if not set 'cn' will be used
+    :user_field: 'uid'
+
+    # for Active Directory use this user_field instead
+    #:user_field: 'sAMAccountName'
+
+# List the order the servers are queried
+:order:
+    - server 1
+%end if
diff --git a/tmpl/sunstone-server.conf b/tmpl/sunstone-server.conf
index d3022bc..cb2627e 100644
--- a/tmpl/sunstone-server.conf
+++ b/tmpl/sunstone-server.conf
@@ -65,7 +65,11 @@
 #   driver defined for the user
 #
 #:auth: sunstone
-:auth: %%sunstone_auth
+%if %%getVar('sunstone_auth_modes', []) == []
+:auth: sunstone
+%else
+:auth: opennebula
+%end if
 
 # Authentication driver to communicate with OpenNebula core
 #   cipher, for symmetric cipher encryption of tokens