diff --git a/roles/sssd/defaults/main.yml b/roles/sssd/defaults/main.yml
new file mode 100644
index 0000000000000000000000000000000000000000..50943f8dfa397875742595aa7eaf6fd861fe907c
--- /dev/null
+++ b/roles/sssd/defaults/main.yml
@@ -0,0 +1,12 @@
+---
+sssd_conf: /etc/sssd/sssd.conf
+sssd_packages: sssd
+sssd_domains:
+sssd_id_provider:
+sssd_auth_provider:
+sssd_access_provider:
+sssd_chpass_provider:
+sssd_cache_credentials: False
+sssd_krb5_store_password_if_offline: False
+sssd_ipa_servers:
+sssd_services:
diff --git a/roles/sssd/meta/main.yml b/roles/sssd/meta/main.yml
new file mode 100644
index 0000000000000000000000000000000000000000..d5390a6f5fd56ce699c2f6100b316ca4c4ee6def
--- /dev/null
+++ b/roles/sssd/meta/main.yml
@@ -0,0 +1,12 @@
+galaxy_info:
+  author: Thomas Woerner
+  description: A role to configure sssd for IPA
+  company: Red Hat, Inc
+
+  license: GPLv2+
+
+  min_ansible_version: 2.0
+
+  galaxy_tags: [ 'identity', 'ipa']
+
+dependencies: []
diff --git a/roles/sssd/tasks/main.yml b/roles/sssd/tasks/main.yml
new file mode 100644
index 0000000000000000000000000000000000000000..30d4c4ef02c9bbb11781684e7876577588ea3b9e
--- /dev/null
+++ b/roles/sssd/tasks/main.yml
@@ -0,0 +1,26 @@
+---
+- name: Install {{ sssd_packages }}
+  package: name="{{ item }}" state=present
+  with_items: "{{ sssd_packages }}"
+
+# No backup in ipa-client-install mode
+#- name: Backup {{ sssd_conf }}
+#  copy:
+#    src: "{{ sssd_conf }}"
+#    dest: "{{ sssd_conf }}.bkp"
+#    force: no
+
+- name: Template sssd.conf
+  template:
+    src: sssd.conf.j2
+    dest: /etc/sssd/sssd.conf
+    backup: yes
+    owner: root
+    group: root
+    mode: 0600
+
+- name: Enable and start sssd
+  service:
+    name: sssd
+    state: restarted
+    enabled: yes
diff --git a/roles/sssd/templates/sssd.conf.j2 b/roles/sssd/templates/sssd.conf.j2
new file mode 100644
index 0000000000000000000000000000000000000000..f37bb665468b82205eb1b5927a27d0ccde70c93f
--- /dev/null
+++ b/roles/sssd/templates/sssd.conf.j2
@@ -0,0 +1,34 @@
+[domain/{{ sssd_domains }}]
+cache_credentials = {{ sssd_cache_credentials }}
+krb5_store_password_if_offline = {{ sssd_krb5_store_password_if_offline }}
+ipa_domain = {{ sssd_domains }}
+id_provider = {{ sssd_id_provider }}
+auth_provider = {{ sssd_auth_provider }}
+access_provider = {{ sssd_access_provider }}
+ipa_hostname = {{ ansible_host }}
+chpass_provider = {{ sssd_chpass_provider }}
+{% if sssd_on_master %}
+ipa_server = {{ sssd_ipa_servers | join(", ") }}
+ipa_server_mode = True
+{% else %}
+{% if sssd_domains != ansible_domain %}
+dns_discovery_domain = sssd_domains
+{% endif %}
+ipa_server = _srv_, {{ sssd_ipa_servers | join(", ")}}
+{% endif %}
+ldap_tls_cacert = /etc/ipa/ca.crt
+
+{% if sssd_on_master %}
+{%   set sssd_services = sssd_services + ", ifp" %}
+{% endif %}
+[sssd]
+services = {{ sssd_services }}
+domains = {{ sssd_domains }}
+
+{% for service in sssd_services.split(',') %}
+[{{ service | trim }}]
+{% if service | trim == "nss" %}
+homedir_substring = /home
+{% endif %}
+
+{% endfor %}
diff --git a/roles/sssd/vars/default.yml b/roles/sssd/vars/default.yml
new file mode 100644
index 0000000000000000000000000000000000000000..9f0ad83b580e5f832bcacfb10a7d77f358bd5d62
--- /dev/null
+++ b/roles/sssd/vars/default.yml
@@ -0,0 +1,4 @@
+sssd_packages:
+ - sssd
+ - sssd-ipa
+ - sssd-krb5