diff --git a/doc/ldap.md b/doc/ldap.md
index 7ebe26f..5ebcf8f 100644
--- a/doc/ldap.md
+++ b/doc/ldap.md
@@ -14,3 +14,9 @@ $ knife data bag show credentials dirsrv --secret-file .chef/encrypted_data_bag_
 ```
 $ ldapsearch -x -W -D 'cn=Directory Manager' -b "ou=users,dc=kosmos,dc=org" -H "ldaps://ldap.kosmos.org" -v
 ```
+
+## Shell scripts
+
+Adding a new user account (requires username, email, password):
+
+    ./scripts/ldap/add_user.sh username user@example.com changeme
diff --git a/scripts/ldap/add_user.sh b/scripts/ldap/add_user.sh
new file mode 100755
index 0000000..d6098a9
--- /dev/null
+++ b/scripts/ldap/add_user.sh
@@ -0,0 +1,17 @@
+#!/bin/bash
+set -xe;
+
+password=$(ruby -r base64 -r digest -r securerandom -e "salt = SecureRandom.hex(32); password = '$3'; puts '{SSHA512}' + Base64.strict_encode64(Digest::SHA512.digest(password + salt) + salt)");
+
+ldapadd -x -W -D 'cn=Directory Manager' -H "ldaps://ldap.kosmos.org" << EOF
+dn: cn=$1,ou=kosmos.org,cn=users,dc=kosmos,dc=org
+objectClass: top
+objectClass: account
+objectClass: person
+objectClass: extensibleObject
+cn: $1
+sn: $1
+uid: $1
+mail: $2
+userPassword: $password
+EOF