diff --git a/data_bags/credentials/ejabberd.json b/data_bags/credentials/ejabberd.json
new file mode 100644
index 0000000..ef6155a
--- /dev/null
+++ b/data_bags/credentials/ejabberd.json
@@ -0,0 +1,17 @@
+{
+  "id": "ejabberd",
+  "5apps_ldap_password": {
+    "encrypted_data": "LRafA47WMyuQe5KA4oOc6i/pTflwpG8Gq8v7cvsTr51XwJD62i9L\n",
+    "iv": "CSvV2mbofDQP4T42\n",
+    "auth_tag": "PERdYnrFKGs+HaPBD6Um+A==\n",
+    "version": 3,
+    "cipher": "aes-256-gcm"
+  },
+  "admins": {
+    "encrypted_data": "D1fEa5S7ADU4tornw/FdcDifE6CzqM6TrLliWYxQ1AxwAuewdh0G2OfgjKOt\nvvibgIEMkr83FkX4La2wOjW8X6/DpBiyeys9RznVD4s0jmSaCG7qGHask3+R\nFLRl0gcYFCPkQopIAYihjnwvm9t1MwPXPF9c7B7rN5W2VvctQ9OEN3MgboHl\n",
+    "iv": "IgodYNr3muNTfkhX\n",
+    "auth_tag": "OJ42GSFtEp/KCxSIGhdbVg==\n",
+    "version": 3,
+    "cipher": "aes-256-gcm"
+  }
+}
\ No newline at end of file
diff --git a/site-cookbooks/kosmos-ejabberd/recipes/default.rb b/site-cookbooks/kosmos-ejabberd/recipes/default.rb
index 5d4e282..a120062 100644
--- a/site-cookbooks/kosmos-ejabberd/recipes/default.rb
+++ b/site-cookbooks/kosmos-ejabberd/recipes/default.rb
@@ -26,6 +26,8 @@
 
 include_recipe "kosmos-postgresql"
 
+ejabberd_credentials = data_bag_item("credentials", "ejabberd")
+
 cookbook_file "#{Chef::Config[:file_cache_path]}/pg.sql" do
   source "pg.sql"
   mode "0664"
@@ -55,35 +57,93 @@ postgresql_user 'ejabberd' do
   password postgresql_data_bag_item['ejabberd_user_password']
 end
 
-postgresql_database 'ejabberd' do
-  owner 'ejabberd'
-  action :create
-  notifies :run, "execute[create db schema ejabberd]", :delayed
-end
+hosts = [
+  {
+    name: "kosmos.org",
+    sql_database: "ejabberd",
+    ldap_enabled: false,
+    append_host_config: <<-EOF
+modules:
+      mod_muc:
+        host: "kosmos.chat"
+        access:
+          - allow
+        access_admin:
+          - allow: admin
+        access_create: muc_create
+        access_persistent: muc_create
+        max_user_conferences: 1000
+        default_room_options:
+          mam: true
+                EOF
+  },
+  {
+    name: "5apps.com",
+    sql_database: "ejabberd_5apps",
+    ldap_enabled: true,
+    ldap_password: ejabberd_credentials['5apps_ldap_password'],
+    append_host_config: <<-EOF
+modules:
+      mod_muc:
+        host: "muc.@HOST@"
+        access:
+          - allow: local
+        access_admin:
+          - allow: admin
+        access_create: muc_create
+        access_persistent: muc_create
+        max_user_conferences: 1000
+        default_room_options:
+          anonymous: false
+          public: true
+          members_only: true
+          public_list: false
+          persistent: true
+          mam: true
+                EOF
+  }
+]
 
-postgresql_database 'ejabberd_5apps' do
-  owner 'ejabberd'
-  action :create
-  notifies :run, "execute[create db schema ejabberd_5apps]", :delayed
-end
+ldap_domain = node['kosmos-dirsrv']['master_hostname']
+ldap_encryption_type = node.chef_environment == "development" ? "none" : "tls"
+ldap_base = "cn=users,dc=kosmos,dc=org"
 
-execute "create db schema ejabberd" do
-  user "ejabberd"
-  command "psql ejabberd < #{Chef::Config[:file_cache_path]}/pg.sql"
-  action :nothing
-end
+admin_users = ejabberd_credentials['admins']
 
-execute "create db schema ejabberd_5apps" do
-  user "ejabberd"
-  command "psql ejabberd_5apps < #{Chef::Config[:file_cache_path]}/pg.sql"
-  action :nothing
+hosts.each do |host|
+  postgresql_database host[:sql_database] do
+    owner 'ejabberd'
+    action :create
+    notifies :run, "execute[create db schema #{host[:sql_database]}]", :delayed
+  end
+
+  execute "create db schema #{host[:sql_database]}" do
+    user "ejabberd"
+    command "psql #{host[:sql_database]}} < #{Chef::Config[:file_cache_path]}/pg.sql"
+    action :nothing
+  end
+
+  template "/opt/ejabberd/conf/#{host[:name]}.yml" do
+    source    "vhost.yml.erb"
+    mode      0640
+    owner     'ejabberd'
+    group     'ejabberd'
+    sensitive true
+    variables pgsql_password: postgresql_data_bag_item['ejabberd_user_password'],
+              host: host,
+              ldap_base: ldap_base,
+              ldap_server: ldap_domain,
+              ldap_encryption_type: ldap_encryption_type
+  end
 end
 
 template "/opt/ejabberd/conf/ejabberd.yml" do
   source    "ejabberd.yml.erb"
   mode      0640
   sensitive true
-  variables pgsql_password: postgresql_data_bag_item['ejabberd_user_password']
+  variables pgsql_password: postgresql_data_bag_item['ejabberd_user_password'],
+            hosts: hosts,
+            admin_users: admin_users
   notifies :run, "execute[ejabberdctl reload_config]", :delayed
 end
 
diff --git a/site-cookbooks/kosmos-ejabberd/templates/ejabberd.yml.erb b/site-cookbooks/kosmos-ejabberd/templates/ejabberd.yml.erb
index 7f66eaf..fc4cbe5 100644
--- a/site-cookbooks/kosmos-ejabberd/templates/ejabberd.yml.erb
+++ b/site-cookbooks/kosmos-ejabberd/templates/ejabberd.yml.erb
@@ -7,34 +7,12 @@ log_rotate_count: 1
 log_rate_limit: 100
 
 hosts:
-  - "kosmos.org"
-  - "5apps.com"
-
-host_config:
-  "kosmos.org":
-    sql_type: pgsql
-    sql_server: "localhost"
-    sql_database: "ejabberd"
-    sql_username: "ejabberd"
-    sql_password: "<%= @pgsql_password %>"
-  "5apps.com":
-    sql_type: pgsql
-    sql_server: "localhost"
-    sql_database: "ejabberd_5apps"
-    sql_username: "ejabberd"
-    sql_password: "<%= @pgsql_password %>"
-
-<% if (File.exist?("/opt/ejabberd/conf/kosmos.org.crt") && File.exist?("/opt/ejabberd/conf/kosmos.org.key")) ||
-    (File.exist?("/opt/ejabberd/conf/5apps.com.crt") && File.exist?("/opt/ejabberd/conf/5apps.com.key")) -%>
-certfiles:
-<% if File.exist?("/opt/ejabberd/conf/kosmos.org.crt") && File.exist?("/opt/ejabberd/conf/kosmos.org.key") -%>
-  - "/opt/ejabberd/conf/kosmos.org.crt"
-  - "/opt/ejabberd/conf/kosmos.org.key"
-<% end -%>
-<% if File.exist?("/opt/ejabberd/conf/5apps.com.crt") && File.exist?("/opt/ejabberd/conf/5apps.com.key") -%>
-  - "/opt/ejabberd/conf/5apps.com.crt"
-  - "/opt/ejabberd/conf/5apps.com.key"
+<% @hosts.each do |host| -%>
+  - "<%= host[:name] %>"
 <% end -%>
+
+<% @hosts.each do |host| -%>
+include_config_file: "/opt/ejabberd/conf/<%= host[:name] %>.yml"
 <% end -%>
 
 ca_file: "/opt/ejabberd/conf/cacert.pem"
@@ -113,12 +91,9 @@ max_fsm_queue: 10000
 acl:
   admin:
     user:
-      - "greg@5apps.com"
-      - "sebastian@5apps.com"
-      - "garret@5apps.com"
-      - "raucao@kosmos.org"
-      - "greg@kosmos.org"
-      - "galfert@kosmos.org"
+    <% @admin_users.each do |admin| -%>
+      - "<%= admin %>"
+    <% end -%>
 
   local:
     user_regexp: ""
@@ -232,14 +207,9 @@ modules:
       - "pep" # pep requires mod_caps
   mod_push: {}
   mod_push_keepalive: {}
+  # Allow existing accounts to change their password
   mod_register:
-    welcome_message:
-      subject: "Welcome!"
-      body: |-
-        Hi.
-        Welcome to this XMPP server.
-    ip_access: trusted_network
-    access: register
+    access: none
   mod_roster:
     versioning: true
     store_current_id: true
@@ -253,39 +223,6 @@ modules:
   mod_s2s_dialback: {}
   mod_http_api: {}
 
-append_host_config:
-  "5apps.com":
-    modules:
-      mod_muc:
-        host: "muc.@HOST@"
-        access:
-          - allow: local
-        access_admin:
-          - allow: admin
-        access_create: muc_create
-        access_persistent: muc_create
-        max_user_conferences: 1000
-        default_room_options:
-          anonymous: false
-          public: true
-          members_only: true
-          public_list: false
-          persistent: true
-          mam: true
-  "kosmos.org":
-    modules:
-      mod_muc:
-        host: "kosmos.chat"
-        access:
-          - allow
-        access_admin:
-          - allow: admin
-        access_create: muc_create
-        access_persistent: muc_create
-        max_user_conferences: 1000
-        default_room_options:
-          mam: true
-
 allow_contrib_modules: true
 
 ### Local Variables:
diff --git a/site-cookbooks/kosmos-ejabberd/templates/vhost.yml.erb b/site-cookbooks/kosmos-ejabberd/templates/vhost.yml.erb
new file mode 100644
index 0000000..875af76
--- /dev/null
+++ b/site-cookbooks/kosmos-ejabberd/templates/vhost.yml.erb
@@ -0,0 +1,28 @@
+# Generated by Chef for <%= @host[:name] %>
+<% if File.exist?("/opt/ejabberd/conf/#{@host[:name]}.crt") && File.exist?("/opt/ejabberd/conf/#{@host[:name]}.key") -%>
+certfiles:
+  - "/opt/ejabberd/conf/<%= @host[:name] %>.crt"
+  - "/opt/ejabberd/conf/<%= @host[:name] %>.key"
+<% end -%>
+host_config:
+  "<%= @host[:name] %>":
+    sql_type: pgsql
+    sql_server: "localhost"
+    sql_database: "<%= @host[:sql_database] %>"
+    sql_username: "ejabberd"
+    sql_password: "<%= @pgsql_password %>"
+  <% if @host[:ldap_enabled] -%>
+    auth_method: ldap
+    ldap_servers: ["<%= @ldap_server %>"]
+    ldap_rootdn: "cn=xmpp,ou=<%= @host[:name] %>,<%= @ldap_base %>"
+    ldap_password: "<%= @host[:ldap_password] %>"
+    ldap_encrypt: <%= @ldap_encryption_type %>
+    ldap_tls_verify: hard # when TLS is enabled, don't proceed if a cert is invalid
+    ldap_base: "ou=<%= @host[:name] %>,<%= @ldap_base %>"
+    ldap_filter: "(nsRole=cn=xmpp_role,ou=<%= @host[:name] %>,<%= @ldap_base %>)"
+  <% end -%>
+
+append_host_config:
+  "<%= @host[:name] %>":
+    <%= @host[:append_host_config].chomp %>
+