diff --git a/Bundler/ldap.xml b/Bundler/ldap.xml
index 85be8de..77d884d 100644
--- a/Bundler/ldap.xml
+++ b/Bundler/ldap.xml
@@ -1,20 +1,12 @@
-<Bundle name="ldap" version="2.0" revision="$Rev$"
-	origin="$URL$">
+<Bundle name="ldap" version="2.0">
   <ConfigFile name="/etc/ldap/ldap.conf"/>
-  <ConfigFile name="/etc/libnss-ldap.conf"/>
-  <ConfigFile name="/etc/libnss-ldap.secret"/>
-  <ConfigFile name="/etc/pam_ldap.conf"/>
-  <ConfigFile name="/etc/pam.d/common-account"/>
-  <ConfigFile name="/etc/pam.d/common-auth"/>
-  <ConfigFile name="/etc/pam.d/common-password"/>
-  <ConfigFile name="/etc/pam.d/common-session"/>
-  <ConfigFile name="/etc/nsswitch.conf"/>
+  <ConfigFile name="/etc/ldap.secret"/>
   <Service name="ssh"/>
+  <Action name="del-adm"/>
   <Group name="db-server">
+    <!-- TODO: conf de slapd
+	 <Package name="slapd"/>
+    -->
     <Package name="wfrench"/>
-    <Package name="slapd"/>
-    <Package name="libnss-ldap"/>
-    <Package name="libpam-ldap"/>
-    <Package name="libpam-cracklib"/>
   </Group>
 </Bundle>
diff --git a/Bundler/nss.xml b/Bundler/nss.xml
new file mode 100644
index 0000000..6ba6522
--- /dev/null
+++ b/Bundler/nss.xml
@@ -0,0 +1,11 @@
+<Bundle name="nss">
+  <ConfigFile name="/etc/nsswitch.conf"/>
+  <Group name="ssh">
+    <Service name="ssh"/>
+  </Group>
+  <Group name="ldap">
+    <Package name="libnss-ldap"/>
+    <ConfigFile name="/etc/libnss-ldap.conf"/>
+    <ConfigFile name="/etc/libnss-ldap.secret"/>
+  </Group>
+</Bundle>
diff --git a/Bundler/pam.xml b/Bundler/pam.xml
new file mode 100644
index 0000000..c20b638
--- /dev/null
+++ b/Bundler/pam.xml
@@ -0,0 +1,16 @@
+<Bundle name="pam" version="2.0">
+  <ConfigFile name="/etc/pam.d/common-account"/>
+  <ConfigFile name="/etc/pam.d/common-auth"/>
+  <ConfigFile name="/etc/pam.d/common-password"/>
+  <ConfigFile name="/etc/pam.d/common-session"/>
+  <Group name="ssh">
+    <Service name="ssh"/>
+  </Group>
+  <Group name="ldap">
+    <Package name="libpam-ldap"/>
+    <ConfigFile name="/etc/pam_ldap.conf"/>
+  </Group>
+  <Group name="db-server">
+    <Package name="libpam-cracklib"/>
+  </Group>
+</Bundle>
diff --git a/Bundler/ssh.xml b/Bundler/ssh.xml
index e1a8a3e..d792d6f 100644
--- a/Bundler/ssh.xml
+++ b/Bundler/ssh.xml
@@ -1,5 +1,7 @@
 <Bundle name="ssh">
   <!-- Fichiers gere par le plugin SSHbase -->
+  <!-- Il faut voir comment on le fait cohabiter avec
+       les clés des switchs sur rouge
   <ConfigFile name="/etc/ssh/ssh_host_dsa_key"/>
   <ConfigFile name="/etc/ssh/ssh_host_rsa_key"/>
   <ConfigFile name="/etc/ssh/ssh_host_dsa_key.pub"/>
@@ -7,6 +9,7 @@
   <ConfigFile name="/etc/ssh/ssh_host_key"/>
   <ConfigFile name="/etc/ssh/ssh_host_key.pub"/>
   <ConfigFile name="/etc/ssh/ssh_known_hosts"/>
+  -->
   <!-- -->
   <ConfigFile name="/etc/ssh/sshd_config"/>
   <ConfigFile name="/etc/ssh/ssh_config"/>
diff --git a/Bundler/sudo.xml b/Bundler/sudo.xml
index 2aa3be6..227c6ab 100644
--- a/Bundler/sudo.xml
+++ b/Bundler/sudo.xml
@@ -1,4 +1,6 @@
 <Bundle name="sudo" version="2.0">
-  <ConfigFile name="/etc/sudoers"/>
-  <Package name="sudo"/>
+  <!-- TODO: a faire
+       <ConfigFile name="/etc/sudoers"/>
+       <Package name="sudo"/>
+  -->
 </Bundle>
diff --git a/Metadata/groups.xml b/Metadata/groups.xml
index b65cd28..b6f9d12 100644
--- a/Metadata/groups.xml
+++ b/Metadata/groups.xml
@@ -133,10 +133,8 @@
     <!-- TODO: passer les serveurs en utf-8 sans tout casser...
 	 <Group name="locale"/>
 	 -->
-    <!-- TODO: a terminer
-	<Group name="ssh"/>
-	<Group name="sudo"/>
-	-->
+    <Group name="ssh"/>
+    <Group name="sudo"/>
     <Group name="home"/>
     <Group name="mail"/>
     <Group name="apt"/>
@@ -145,6 +143,7 @@
 
     <Bundle name="apt"/>
     <Bundle name="apt-keys"/>
+    <Bundle name="nss"/>
   </Group>
 
   <!-- +=============================+ -->
@@ -345,18 +344,13 @@
   <Group name="pam"
 	 comment="authentification par pam"
 	 category="auth-backend">
-    <!-- TOTO: a implementer/completer/tester
-	 <Group name="db"/>
-	 <Bundle name="pam"/>
-	 -->
+    <Bundle name="pam"/>
   </Group>
 
   <Group name="ldap"
 	 comment="base de donnee ldap"
 	 category="db-backend">
-    <!-- TOTO:  a implementer/completer/tester
-	 <Bundle name="ldap"/>
-	 -->
+    <Bundle name="ldap"/>
   </Group>
 
   <Group name="pgsql"
diff --git a/Python/etc/ldap.secret b/Python/etc/ldap.secret
new file mode 100644
index 0000000..f4d13e1
--- /dev/null
+++ b/Python/etc/ldap.secret
@@ -0,0 +1,8 @@
+# -*- mode: python; coding: utf-8 -*-
+
+include("secrets")
+
+if has("db-main"):
+    print secrets.ldap_password
+else:
+    print secrets.ldap_readonly_password
diff --git a/Python/etc/ldap/ldap.conf b/Python/etc/ldap/ldap.conf
new file mode 100644
index 0000000..a9a4e54
--- /dev/null
+++ b/Python/etc/ldap/ldap.conf
@@ -0,0 +1,15 @@
+# -*- mode: python; coding: utf-8 -*-
+
+include("ip")
+
+header("Acces a la base ldap")
+
+@# See ldap.conf(5) for details
+@# This file should be world readable but not world writable.
+
+@BASE       dc=crans, dc=org
+if has("db-server"):
+    %URI        "ldapi://%2fvar%2frun%2fslapd%2fldapi/"
+    %TLS_CACERT "/etc/ssl/certs/CAcrans.pem"
+else:
+    %URI        "ldap://%s/" % admipof("ldap")
diff --git a/Python/etc/libnss-ldap.conf b/Python/etc/libnss-ldap.conf
new file mode 100644
index 0000000..540c7ba
--- /dev/null
+++ b/Python/etc/libnss-ldap.conf
@@ -0,0 +1,74 @@
+# -*- mode: python; coding: utf-8 -*-
+
+include("mode/space")
+include("secrets")
+include("ip")
+
+header("""
+Fichier de configuration pour libnss-ldap.
+
+Pour des informations détaillées voir libnss-ldap.conf(5)
+ainsi que /usr/share/libnss-ldap/ldap.conf
+""")
+
+@# +----------------------------------------------------+
+@# | Configuration de la communiquation avec le serveur |
+@# +----------------------------------------------------+
+
+if has("db-server"):
+    @# Socket unix du serveur
+    %uri "ldapi://%2fvar%2frun%2fslapd%2fldapi/"
+else:
+    @# Addresse du serveur
+    %uri "ldap://%s/" % admipof("ldap")
+
+@# The distinguished name of the search base.
+%base "dc=crans,dc=org"
+
+@# The distinguished name to bind to the server with.
+@# Optional: default is to bind anonymously.
+@# Please do not put double quotes around it as they
+@# would be included literally.
+%binddn secrets.ldap_readonly_auth_dn
+
+@# The credentials to bind with.
+@# Optional: default is no credential.
+%bindpw secrets.ldap_readonly_password
+
+@# The distinguished name to bind to the server with
+@# if the effective user ID is root. Password is
+@# stored in /etc/libnss-ldap.secret (mode 600)
+@# Use 'echo -n "mypassword" > /etc/libnss-ldap.secret' instead
+@# of an editor to create the file.
+%rootbinddn secrets.ldap_readonly_auth_dn
+
+@# The LDAP version to use (defaults to 3
+@# if supported by client library)
+%ldap_version 3
+
+@# Search timelimit
+%timelimit 5
+
+@# Bind/connect timelimit
+%bind_timelimit 5
+
+@# +------------------+
+@# | Bases de données |
+@# +------------------+
+
+# On n'utilise ldap pour résoudre les bases de données
+# passwd, group et shadow
+if has("users"):
+    # Sur le serveur des adhérents, on veut que tout
+    # les adhérents soit reconnus comme utilisateurs locaux
+    %nss_base_passwd "ou=data,dc=crans,dc=org?one"
+else:
+    # Sur les autres serveurs on filtre pour que seuls
+    # les nounous et les apprentis le soit.
+    # Il est important de mettre ce filtrage au niveau de
+    # libnss-ldap et pam-ldap car ssh utilise pam pour les
+    # mots de passe mais pour l'authentification par clés
+    # il n'utilise que nss
+    %nss_base_passwd "ou=data,dc=crans,dc=org?one?|(droits=Nounou)(droits=Apprenti)"
+%nss_base_shadow "ou=data,dc=crans,dc=org?one"
+%nss_base_group "ou=Group,dc=crans,dc=org?one"
diff --git a/Python/etc/libnss-ldap.secret b/Python/etc/libnss-ldap.secret
new file mode 100644
index 0000000..f4d13e1
--- /dev/null
+++ b/Python/etc/libnss-ldap.secret
@@ -0,0 +1,8 @@
+# -*- mode: python; coding: utf-8 -*-
+
+include("secrets")
+
+if has("db-main"):
+    print secrets.ldap_password
+else:
+    print secrets.ldap_readonly_password
diff --git a/Python/etc/nsswitch.conf b/Python/etc/nsswitch.conf
new file mode 100644
index 0000000..97a9a19
--- /dev/null
+++ b/Python/etc/nsswitch.conf
@@ -0,0 +1,29 @@
+# -*- mode: python; coding: utf-8 -*-
+
+header("""
+Fichier de configuration des bases de donnees systemes (System
+Databases) et du service de noms (Name Service Switch).
+""")
+
+if has("ldap"):
+    db="ldap"
+
+def database(name, res):
+    print name + ": " + " ".join(res)
+
+@# On utilise la base de donnee du crans pour tout ce qui est
+@# compte unix
+database("passwd", ["files", db])
+database("group",  ["files", db])
+database("shadow", ["files", db])
+@
+database("hosts",    ["files", "dns"])
+database("networks", ["files"])
+@
+database("protocols", ["db", "files"])
+database("services",  ["db", "files"])
+@
+database("ethers", ["db", "files"])
+database("rpc",    ["db", "files"])
+@
+database("netgroup", ["nis"])
diff --git a/Python/etc/pam.d/common-account b/Python/etc/pam.d/common-account
new file mode 100644
index 0000000..55192b4
--- /dev/null
+++ b/Python/etc/pam.d/common-account
@@ -0,0 +1,15 @@
+# -*- mode: python; coding: utf-8 -*-
+
+include("pam")
+
+header("""
+/etc/pam.d/common-account - authorization settings common to all services
+
+This file is included from other service-specific PAM config files,
+and should contain a list of the authorization modules that define
+the central access policy for use on the system.  The default is to
+only deny service to users whose accounts are expired in /etc/shadow.
+""")
+
+print "account sufficient %s" % pam_module
+print "account required   pam_unix.so use_first_pass"
diff --git a/Python/etc/pam.d/common-auth b/Python/etc/pam.d/common-auth
new file mode 100644
index 0000000..aa98328
--- /dev/null
+++ b/Python/etc/pam.d/common-auth
@@ -0,0 +1,16 @@
+# -*- mode: python; coding: utf-8 -*-
+
+include("pam")
+
+header("""
+/etc/pam.d/common-auth - authentication settings common to all services
+
+This file is included from other service-specific PAM config files,
+and should contain a list of the authentication modules that define
+the central authentication scheme for use on the system
+(e.g., /etc/shadow, LDAP, Kerberos, etc.).  The default is to use the
+traditional Unix authentication mechanisms.
+""")
+
+print "auth sufficient %s" % pam_module
+print "auth required   pam_unix.so nullok_secure use_first_pass"
diff --git a/Python/etc/pam.d/common-password b/Python/etc/pam.d/common-password
new file mode 100644
index 0000000..6368237
--- /dev/null
+++ b/Python/etc/pam.d/common-password
@@ -0,0 +1,30 @@
+# -*- mode: python; coding: utf-8 -*-
+
+include("pam")
+
+header("""
+/etc/pam.d/common-password - password-related modules common to all services
+
+This file is included from other service-specific PAM config files,
+and should contain a list of modules that define  the services to be
+used to change user passwords.  The default is pam_unix
+""")
+
+@# The "nullok" option allows users to change an empty password, else
+@# empty passwords are treated as locked accounts.
+@#
+@# (Add `md5' after the module name to enable MD5 passwords)
+@#
+@# The "obscure" option replaces the old `OBSCURE_CHECKS_ENAB' option in
+@# login.defs. Also the "min" and "max" options enforce the length of the
+@# new password.
+
+print "password   sufficient %s ignore_unknown_user md5 try_first_pass" % pam_module
+print "password   required   pam_unix.so nullok obscure min=4 max=8 md5 try_first_pass"
+
+@# Alternate strength checking for password. Note that this
+@# requires the libpam-cracklib package to be installed.
+@# You will need to comment out the password line above and
+@# uncomment the next two in order to use this.
+@# (Replaces the `OBSCURE_CHECKS_ENAB', `CRACKLIB_DICTPATH')
+
diff --git a/Python/etc/pam.d/common-session b/Python/etc/pam.d/common-session
new file mode 100644
index 0000000..b04a75c
--- /dev/null
+++ b/Python/etc/pam.d/common-session
@@ -0,0 +1,16 @@
+# -*- mode: python; coding: utf-8 -*-
+
+include("pam")
+
+header("""
+/etc/pam.d/common-session - session-related modules common to all services
+
+This file is included from other service-specific PAM config files,
+and should contain a list of modules that define tasks to be performed
+at the start and end of sessions of *any* kind (both interactive and
+non-interactive).  The default is pam_unix.
+""")
+
+print "session sufficient %s" % pam_module
+print "session required   pam_unix.so"
+print "session required   pam_mkhomedir.so"
diff --git a/Python/etc/pam_ldap.conf b/Python/etc/pam_ldap.conf
new file mode 100644
index 0000000..0b5d426
--- /dev/null
+++ b/Python/etc/pam_ldap.conf
@@ -0,0 +1,87 @@
+# -*- mode: python; coding: utf-8 -*-
+
+include("mode/space")
+include("secrets")
+include("ip")
+
+header("""
+Fichier de configuration de libpam-ldap.
+
+Pour des informations détaillées voir pam_ldap.conf(5)
+""")
+
+@# +----------------------------------------------------+
+@# | Configuration de la communiquation avec le serveur |
+@# +----------------------------------------------------+
+
+@# The distinguished name of the search base.
+%base "dc=crans,dc=org"
+
+if has("db-server"):
+    # Le serveur principale ainsi que les réplica se connectent par
+    # socket unix
+    %uri "ldapi://%2fvar%2frun%2fslapd%2fldapi/"
+else:
+    # Les autres c'est par le réseau
+    %uri "ldap://%s/" % admipof("ldap")
+
+@# The LDAP version to use (defaults to 3
+@# if supported by client library)
+%ldap_version 3
+
+if has("db-main"):
+    @# The distinguished name to bind to the server with
+    @# if the effective user ID is root. Password is
+    @# stored in /etc/ldap.secret (mode 600)
+    %rootbinddn secrets.ldap_auth_dn
+
+else:
+    @# The distinguished name to bind to the server with.
+    @# Optional: default is to bind anonymously.
+    %binddn secrets.ldap_readonly_auth_dn
+
+    @# The credentials to bind with.
+    @# Optional: default is no credential.
+    %bindpw secrets.ldap_readonly_password
+
+@# The port.
+@# Optional: default is 389.
+@#port 389
+
+@# The search scope.
+@#scope sub
+%scope "one"
+@#scope base
+
+if not has("db-main"):
+    @# Search timelimit
+    %timelimit 5
+
+    @# Bind timelimit
+    %bind_timelimit 5
+
+@# Do not hash the password at all; presume
+@# the directory server will do it, if
+@# necessary. This is the default.
+%pam_password "exop"
+
+@# +------------------+
+@# | Bases de données |
+@# +------------------+
+
+# On n'utilise ldap pour résoudre les bases de données
+# passwd, group et shadow
+if has("users"):
+    # Sur le serveur des adhérents, on veut que tout
+    # les adhérents soit reconnus comme utilisateurs locaux
+    %nss_base_passwd "ou=data,dc=crans,dc=org?one"
+else:
+    # Sur les autres serveurs on filtre pour que seuls
+    # les nounous et les apprentis le soit.
+    # Il est important de mettre ce filtrage au niveau de
+    # libnss-ldap et pam-ldap car ssh utilise pam pour les
+    # mots de passe mais pour l'authentification par clés
+    # il n'utilise que nss
+    %nss_base_passwd "ou=data,dc=crans,dc=org?one?|(droits=Nounou)(droits=Apprenti)"
+%nss_base_shadow "ou=data,dc=crans,dc=org?one"
+%nss_base_group "ou=Group,dc=crans,dc=org?one"
diff --git a/Rules/packages-common.xml b/Rules/packages-common.xml
index 717729a..010b159 100644
--- a/Rules/packages-common.xml
+++ b/Rules/packages-common.xml
@@ -12,6 +12,4 @@
   <Package name="apt-mirror" version="0.4.4-4-crans1"/>
   <Package name="vim" version="1:7.0-122+1etch3"/>
   <Package name="htop" version="0.6.3-1"/>
-  <Package name="darcs" version="1.0.9~rc1-0.1"/>
-  <Package name="bind9" version="1:9.3.4-2etch1"/>
 </Rules>
diff --git a/Rules/rules.xml b/Rules/rules.xml
index 2298904..20dc95c 100644
--- a/Rules/rules.xml
+++ b/Rules/rules.xml
@@ -37,4 +37,16 @@
   <Directory name="/mirror/apt-mirror/var" owner="apt-mirror" group="apt-mirror" perms="0755"/>
   <Directory name="/mirror/apt-mirror/skel" owner="apt-mirror" group="apt-mirror" perms="0755"/>
   <Directory name="/mirror/apt-mirror/mirror" owner="apt-mirror" group="apt-mirror" perms="0755"/>
+
+  <Service name="ssh" status="on"/>
+
+  <!-- Suppression du groupe adm de /etc/group pour forcer sudo à regarder dans la base -->
+  <Action name="del-adm"
+	  timing="post" when="modified" status="check"
+	  command="grep '^adm:' /etc/group &amp;&amp;
+		   a=$(mktemp) &amp;&amp;
+		   awk -F':' '$1 != &quot;adm&quot;' &amp;&amp;
+		   mv $a /etc/group &amp;&amp;
+		   rm -f $a &amp;&amp;
+		   grpconv"/>
 </Rules>
diff --git a/TGenshi/etc/ldap/ldap.conf/template.txt b/TGenshi/etc/ldap/ldap.conf/template.txt
deleted file mode 100644
index eab7cd5..0000000
--- a/TGenshi/etc/ldap/ldap.conf/template.txt
+++ /dev/null
@@ -1,20 +0,0 @@
-# $OpenLDAP: pkg/ldap/libraries/libldap/ldap.conf,v 1.9 2000/09/04 19:57:01 kurt Exp $
-#
-# LDAP Defaults
-#
-#A ne modifier que sur VERT
-
-# See ldap.conf(5) for details
-# This file should be world readable but not world writable.
-
-BASE       dc=crans, dc=org
-#if "db-server" in $metadata.groups
-URI        ldapi://%2fvar%2frun%2fslapd%2fldapi/
-TLS_CACERT /etc/ssl/certs/CAcrans.pem
-#else
-URI        ldap://ldap.adm.crans.org
-#end if
-
-#SIZELIMIT	12
-#TIMELIMIT	15
-#DEREF		never
diff --git a/etc/python/pam.py b/etc/python/pam.py
new file mode 100644
index 0000000..1b86b5b
--- /dev/null
+++ b/etc/python/pam.py
@@ -0,0 +1,8 @@
+# -*- mode: python; coding: utf-8 -*-
+#
+# Module pour pam
+
+if has("ldap"):
+    pam_module = "pam_ldap.so"
+else:
+    pam_module = ""