diff --git a/defaults/main.yml b/defaults/main.yml
index 434f473..0accaa5 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -257,3 +257,34 @@ galaxy_uwsgi_config_default:
 # Options include: client / client-production / client-production-maps (default)
 galaxy_client_make_target: client-production-maps
 
+#
+# Authentification configuration
+# authen_conf.xml
+# https://github.com/galaxyproject/galaxy/blob/dev/config/auth_conf.xml.sample
+#
+galaxy_auth:
+  authenticator:
+    localdb:
+      allow-password-change: True
+    # ldap:
+    #   filter: "'{email}'.endswith('@example.com')"
+    #   allow-register: True
+    #   auto-register: False
+    #   allow-password-change: False
+    #   auto-create-roles: False
+    #   auto-create-groups: False
+    #   auto-assign-roles-to-groups-only: False
+    #   server: "ldap://dc1.example.com"
+    #   ldap-options: "OPT_X_TLS_REQUIRE_CERT=OPT_X_TLS_ALLOW"
+    #   login-use-username: False
+    #   continue-on-failure: False
+    #   search-fields: "uid,mail"
+    #   search-base: "ou=People,dc=example,dc=com"
+    #   search-filter: "(mail={email})"
+    #   search-user: "cn=jsmith,ou=People,dc=domain,dc=com"
+    #   search-password: "mysecret"
+    #   bind-user: "{dn}"
+    #   bind-password: "{password}"
+    #   auto-register-username: "{uid}"
+    #   auto-register-email: "{mail}"
+    #   auto-register-roles: "{gid}"
diff --git a/templates/auth_conf.xml.j2 b/templates/auth_conf.xml.j2
new file mode 100644
index 0000000..2f897a3
--- /dev/null
+++ b/templates/auth_conf.xml.j2
@@ -0,0 +1,154 @@
+<?xml version="1.0"?>
+<!--
+%
+% This file is managed by Ansible.
+% Do not edit this file manually.
+% Any changes will be automatically reverted.
+%
+-->
+<auth>
+{% if 'ldap' in galaxy_auth['authenticator'] %}
+    <authenticator>
+        <type>ldap</type>
+        {% set ldap = galaxy_auth['authenticator']['ldap'] %}
+
+        <!-- Replacement fields: instances of {email}, {username} and {password}
+             are replaced with the corresponding user's values inside the
+             <filter>, <server>, <ldap-options>, <search-fields>,
+             <search-filter>, <search-base>, <search-user> and <search-password>
+             elements. -->
+        <!-- Filter users for which this authenticator applies. This is a Python
+             expression which is evaluated after field replacement. -->
+    {% if ldap['filter'] is defined %}
+        <filter>ldap['filter']</filter>
+    {% endif %}
+        <options>
+
+            <!-- Whether to allow user registration. Possible values are True,
+                 False and Challenge (i.e. allow registration in case of
+                 successful authentication). Default is True. -->
+        {% if ldap['allow-register'] is defined %}
+            <allow-register>ldap['allow-register']</allow-register>
+        {% endif %}
+
+            <!-- Whether Galaxy should automatically register users when they
+                 first login. Default is False. -->
+        {% if ldap['auto-register'] is defined %}
+            <auto-register>ldap['auto-register']</auto-register>
+        {% endif %}
+
+            <!-- Whether users are allowed to change their password. Default is
+                 False. -->
+         {% if ldap['allow-password-change'] is defined %}
+             <allow-password-change>ldap['allow-password-change']</allow-password-change>
+         {% endif %}
+
+            <!-- Whether roles should be automatically created if
+                 the attribute specified under auto-register-roles can be found.
+                 Default is False. -->
+        {% if ldap['auto-create-roles'] is defined %}
+            <auto-create-roles>ldap['auto-create-roles']</auto-create-roles>
+        {% endif %}
+
+            <!-- Whether groups should be automatically created if
+                 the attribute specified under auto-register-roles can be found.
+                 Can be used in combination with auto-create-roles
+                 Default is False. -->
+        {% if ldap['auto-create-groups'] is defined %}
+            <auto-create-groups>ldap['auto-create-groups']</auto-create-groups>
+        {% endif %}
+
+            <!-- If set, roles will be assigned to the auto generated groups,
+            not to the individual users. Can only be used if auto-create-roles and
+            auto-create-groups are True. Default is False. -->
+        {% if ldap['auto-assign-roles-to-groups-only'] is defined %}
+            <auto-assign-roles-to-groups-only>ldap['auto-assign-roles-to-groups-only']</auto-assign-roles-to-groups-only>
+        {% endif %}
+
+            <!-- LDAP-specific options -->
+        {% if ldap['server'] is defined %}
+            <server>ldap['server']</server>
+        {% endif %}
+
+            <!-- Additional options for the LDAP connection. The syntax is:
+                 option1=value1,option2=value2,...
+                 Options and values should match those from the python-ldap
+                 documentation.
+                 The following example allows connecting to ldaps:// (SSL/TLS)
+                 when self-signed certificates are used -->
+        {% if ldap['ldap-options'] is defined %}
+            <ldap-options>ldap['ldap-options']</ldap-options>
+        {% endif %}
+
+            <!-- Whether unregistered users should use their LDAP username
+                 instead of the email at their first login when auto-register is
+                 True. Default is False. -->
+        {% if ldap['login-use-username'] is defined %}
+            <login-use-username>ldap['login-use-username']</login-use-username>
+        {% endif %}
+
+            <!-- Whether to continue with the following authenticators if LDAP
+                 fails. Default is False. -->
+        {% if ldap['continue-on-failure'] is defined %}
+            <continue-on-failure>ldap['continue-on-failure']</continue-on-failure>
+        {% endif %}
+
+            <!-- If search-fields is not specified, all other search-* elements
+                 are ignored.
+                 If search-user is not specified, Galaxy will bind anonymously
+                 to the LDAP server for search. -->
+        {% if ldap['search-fields'] is defined %}
+            <search-fields>ldap['search-fields']</search-fields>
+        {% endif %}
+        {% if ldap['search-base'] is defined %}
+            <search-base>ldap['search-base']</search-base>
+        {% endif %}
+
+        {% if ldap['search-filter'] is defined %}
+            <search-filter>ldap['search-filter']</search-filter>
+        {% endif %}
+
+        {% if ldap['search-user'] is defined %}
+            <search-user>ldap['search-user']</search-user>
+        {% endif %}
+        {% if ldap['search-password'] is defined %}
+            <search-password>ldap['search-password']</search-password>
+        {% endif %}
+
+
+            <!-- Replacement fields: instances of {email}, {username},
+                 {password}, {dn} plus all fields defined in <search-fields> are
+                 replaced with the corresponding user's values inside the
+                 <bind-user>, <bind-password>, <auto-register-username> and
+                 <auto-register-email> elements. -->
+        {% if ldap['bind-user'] is defined %}
+             <bind-user>ldap['bind-user']</bind-user>
+        {% endif %}
+        {% if ldap['bind-password'] is defined %}
+             <bind-password>ldap['bind-password']</bind-password>
+        {% endif %}
+        {% if ldap['auto-register-username'] is defined %}
+             <auto-register-username>ldap['auto-register-username']</auto-register-username>
+        {% endif %}
+        {% if ldap['auto-register-email'] is defined %}
+             <auto-register-email>ldap['auto-register-email']</auto-register-email>
+        {% endif %}
+        {% if ldap['auto-register-roles'] is defined %}
+             <auto-register-roles>ldap['auto-register-roles']</auto-register-roles>
+        {% endif %}
+
+        </options>
+    </authenticator>
+{% endif %}
+{% if 'localdb' in galaxy_auth['authenticator'] %}
+    <authenticator>
+        <type>localdb</type>
+        {% set localdb = galaxy_auth['authenticator']['localdb'] %}
+        <options>
+            <!-- Whether users are allowed to change their password. Default is
+                 False. -->
+            <allow-password-change>{{ localdb['allow-password-change']|default("True", true) }}</allow-password-change>
+        </options>
+    </authenticator>
+{% endif %}
+</auth>