diff --git a/group_vars/sftp/production.yml b/group_vars/lib_sftp/production.yml
similarity index 100%
rename from group_vars/sftp/production.yml
rename to group_vars/lib_sftp/production.yml
diff --git a/group_vars/lib_sftp/staging.yml b/group_vars/lib_sftp/staging.yml
new file mode 100644
index 0000000000..67873e7b6a
--- /dev/null
+++ b/group_vars/lib_sftp/staging.yml
@@ -0,0 +1,14 @@
+---
+ad_domain: "pu.win.princeton.edu"
+ad_test_user: "{{ almasftp_user }}"
+ad_domain_controller: "pu.win.princeton.edu"
+ad_admin_user: "doas-libsftp"
+ad_admin_password: "{{ vault_sssd_dn_password }}"
+almasftp_user: "almasftp"
+almasftp_user_password: "{{ vault_almasftp_user_password }}"
+aspaceftp_user: "{{ vault_libaspacesftp_user_password }}"
+aspaceftp_user_password: "alsosimple"
+lib_sftp_domain_group: "domain users@pu.win.princeton.edu"
+host_ad_name: lib-sftp-test1.princeton.edu
+deploy_user_local_keys:
+  - { name: 'bibdata-worker-staging1', key: "{{ lookup('file', '../roles/lib_sftp/files/id_rsa.pub') }}" }
diff --git a/group_vars/lib_sftp/vault.yml b/group_vars/lib_sftp/vault.yml
new file mode 100644
index 0000000000..b7cd8745c7
--- /dev/null
+++ b/group_vars/lib_sftp/vault.yml
@@ -0,0 +1,32 @@
+$ANSIBLE_VAULT;1.1;AES256
+31393761636533636334386165633937356331633237633332373364653566343734663364326339
+3064666166633235336663303662396130393037643061360a313037663630383132396163646437
+62333930393330306232643232326530663035353866623139636139646535306338323332643232
+3666663039633063310a373738623761666239383166396438643366653064656438323161303533
+38323661326631376561363866613935366664326663333535643963346136373438393963616435
+35313662653735386136666166393461613837653136396236383732316234666334373132363438
+30633534373139623434636434373238373865666137656662303337633762613361643434623636
+62366562363838643234633565303765326633613663306161363061633661393831343339373436
+62353734616234326464613731343965626162323834376265626634303962336563613162643635
+35323137313261636561353362346136396232663066313466393337333735323538313161636466
+37323261343638653939306331613834623034333861663136393233313733353965623534363565
+61323561373961633766663435613030383166386461316530666533663364343539303137643531
+39353834386232386466393531323131356461313431636661623564326335363762366362643137
+61613165303331336631373138363938303662346661336234343532633563646664336433373730
+34303964653866376435663336626533376533316635396435386437613862653964346637643836
+33323566626234346132373366613264346438326362343432376666363637653636663834303230
+65636333613134623733376263313264633231636264393661346635646664613637383561636133
+30393039343966623131653939663432613234316637623763623864323733396230643461663036
+66393561373637313937656530343036353639323834316466653064663362306235313465383938
+65366261383638316265623564323234356332303034363338313930613265303266353430343130
+36646162636134613666383035376365316533626537303063363233346163373865363766306666
+31653366616533363631616233656361383931373539333734633638663431343837313630643762
+61666461373064346232313537356162333166643233623062626162316536663239333633613362
+33346631346561396466656137616564636137373162633261656334366639376261636536326561
+35393432356335316464616236313862316230616336333233373362343432613161663438393064
+38333662356639363365393137613632333432323962383135393834653165343238316534363430
+63643331616666333234643363343930653461353839316266316633323033356463323334346262
+34353736393261353966353937663231393539653738306337666663643536663837653966383037
+61646137633265663739373335633966663264356233333835313962323630343037323361396233
+39353736643635643066653936303232383863616433643437643536663432376634616437343664
+383730326561393932313033646333346238
diff --git a/group_vars/sftp/common.yml b/group_vars/sftp/common.yml
deleted file mode 100644
index 9b5b54cfd8..0000000000
--- a/group_vars/sftp/common.yml
+++ /dev/null
@@ -1,6 +0,0 @@
----
-auth_rule_one: "{{ vault_auth_rule_one }}"
-auth_rule_two: "{{ vault_auth_rule_two }}"
-auth_rule_three: "{{ vault_auth_rule_three }}"
-auth_rule_dev: "{{ vault_auth_rule_dev }}"
-almasftp_user_password: "{{ vault_almasftp_salted_user_password }}"
diff --git a/group_vars/sftp/staging.yml b/group_vars/sftp/staging.yml
index 1c820e9c61..f602d05626 100644
--- a/group_vars/sftp/staging.yml
+++ b/group_vars/sftp/staging.yml
@@ -5,6 +5,6 @@ sssd_uris:
 sssd_search_base: "{{ vault_sssd_search_base }}"
 sssd_bind_dn: "{{ vault_sssd_bind_dn }}"
 sssd_bind_dn_password: "{{ vault_sssd_dn_password }}"
-host_ad_name: sftp-staging1.princeton.edu
+host_ad_name: lib-sftp-test1.princeton.edu
 deploy_user_local_keys:
   - { name: 'bibdata-worker-staging1', key: "{{ lookup('file', '../roles/lib_sftp/files/id_rsa.pub') }}" }
diff --git a/group_vars/sftp/vault.yml b/group_vars/sftp/vault.yml
deleted file mode 100644
index df18e975ce..0000000000
--- a/group_vars/sftp/vault.yml
+++ /dev/null
@@ -1,50 +0,0 @@
-$ANSIBLE_VAULT;1.1;AES256
-31613931316131343938386136656433623866613766343730616333373536616537393034363438
-3063616136653162343135346335306335326230623437320a343363323763643466663239343461
-37376633363465373330383766323433303330336133313635333061356133313339373239356233
-3432663637646337330a333536376336316232383533386665643735396166646139333536623862
-37373836356363323835343862306435373438346663653036363732666238663632616632643737
-38663364646361323861363662316235636664333661333765646139373437623431653630323637
-66336163363932373837333435323834363562653335356432623963343063626630633163633734
-37313033333430663631313832353565363066373630623537306663663834333637336435653762
-38346564393836353162386362303662623735376139396436363835653431336533303631333562
-31373462386236623762323639643133633938333265303962396166336463326632393133653364
-37303763306665366533333839346263336636613330656532343231396631656334383234313034
-31323438623938316436393839313335663939653534373730303131336638613830336665383666
-66333837353066323836303730636234666134656433393466396435636531306436323531356162
-30323935393862343264313863643831303462386239636631303735333133353235393664363639
-61323431356436303637636431663439313166316365623565373165633736306533343734323236
-35333931373066303432616566356532313534666336333937663664373139333663633731323437
-35633834353466666532663261313639353136316465313331656436383533383834313530343937
-63616339393837343032353636393530633830336638353232636263336461633430393264336134
-31363033366239343166393162363330323666373336316338383630333962343066666636303437
-65333764656136366365376466316338373264303032326539326435326664656365613439373332
-36383534316664663964393766343664646631613861383135383533376236376565366239633433
-33653234613337646131306533346361386539373161383531366466326539356235633738346132
-63653632623735346261306535393761376562323135626238363865356564393136363534306666
-66393465313063373631343465643264613639393833616236303730383730373631326632313636
-30323238363738666531656438353165303230636364626230343231383434663064613938663436
-65666632333036396536646230653961623563386331653538613238373462313734313634333133
-30383561633364613731353964373039313432356638623137356332623435636264336464653165
-35643634633938376363313665323461643039343162646238373331396435366636663763353933
-61643536396237643064623764643363666637343131393332613834653233316435346161343434
-33316165666238393066393463386534313266343765643333393335356163643634333838353264
-66623666373435643662316233393466386133353135393634363364353534343936373162363963
-36393962663432316264323130636361316132396434386232663239346163653232653065343732
-38353938326162353234316339353833373331326564663665353332643330656133333338336265
-38313737333733313839373863333265393730313239633061336432306237383936373963323032
-65346536396335646563396461613831393339336238316237636661393266336337646564323065
-66616664353737613965363464306139663838333166393530383834343864613934323462316434
-36316161366464666130633736363162336437636537626135323238636535336230393862366165
-62363638653130316134643932623237323635316664323162623166323839646233383634353638
-65636137303833306234333433623462393033333934363465633637313935326135333231323433
-36656339353533613036613630663135353966663664356531636636323234356436613437326630
-31653633613239323965316238303732313839613539353764626131303662326131306566333539
-65336661663930383461663263396434303335363838306463366238346563303863303236326465
-66363831633566353737626162333763376631626165613232636335376333636433626336636338
-34326233633033623638373766386365363564376137306366616630653039343136376433653130
-36643431616534373432376332303039373161653836613931613864653431643164623030333933
-61313761363939613838333833373763323136656266343235613736343434363963316130313966
-30656431643630366439643231313462386439643162313737353164343330616235303133656362
-62303533306664376436316233636230333939366262386466633036376139386231333866643065
-3264
diff --git a/inventory/all_projects/lib_sftp b/inventory/all_projects/lib_sftp
index 2b58aa042c..ddca759da3 100644
--- a/inventory/all_projects/lib_sftp
+++ b/inventory/all_projects/lib_sftp
@@ -1,5 +1,6 @@
 
 [libsftp_staging]
 lib-sftp-staging1.princeton.edu
+lib-sftp-test1.princeton.edu
 [libsftp_production]
 lib-sftp-prod1.princeton.edu
diff --git a/playbooks/lib_sftp.yml b/playbooks/lib_sftp.yml
index e2ab465b72..df68330b5c 100644
--- a/playbooks/lib_sftp.yml
+++ b/playbooks/lib_sftp.yml
@@ -11,7 +11,7 @@
   become: true
   vars:
     - force_settings: true
-    - drupal_git_repo: ''
+    - drupal_git_repo: ""
     - post_install: |
         Look the README for additional steps to allow mkhome directory
 
@@ -20,9 +20,8 @@
         deploy_id_rsa_private_key: "{{  lookup('file', '../roles/lib_sftp/files/id_rsa')  }}\n"
 
   vars_files:
-    - ../group_vars/sftp/vault.yml
-    - ../group_vars/sftp/common.yml
-    - ../group_vars/sftp/{{ runtime_env | default('staging') }}.yml
+    - ../group_vars/lib_sftp/vault.yml
+    - ../group_vars/lib_sftp/{{ runtime_env | default('staging') }}.yml
   roles:
     - role: ../roles/deploy_user
     - role: ../roles/lib_sftp
diff --git a/roles/lib_sftp/README.md b/roles/lib_sftp/README.md
new file mode 100644
index 0000000000..f4633e8668
--- /dev/null
+++ b/roles/lib_sftp/README.md
@@ -0,0 +1,38 @@
+Role Name
+=========
+
+Binds our sftp servers to use active directory
+
+Requirements
+------------
+
+Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required.
+
+Role Variables
+--------------
+
+A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well.
+
+Dependencies
+------------
+
+A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles.
+
+Example Playbook
+----------------
+
+Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too:
+
+    - hosts: servers
+      roles:
+         - { role: username.rolename, x: 42 }
+
+License
+-------
+
+BSD
+
+Author Information
+------------------
+
+An optional section for the role authors to include contact information, or a website (HTML is not allowed).
diff --git a/roles/lib_sftp/defaults/main.yml b/roles/lib_sftp/defaults/main.yml
new file mode 100644
index 0000000000..de1302351a
--- /dev/null
+++ b/roles/lib_sftp/defaults/main.yml
@@ -0,0 +1,7 @@
+---
+# defaults file for sftp
+almasftp_user: "almasftp"
+almasftp_user_password: "simple"
+aspaceftp_user: "lib-aspacesftp"
+aspaceftp_user_password: "alsosimple"
+lib_sftp_domain_group: "nobody"
diff --git a/roles/lib_sftp/files/id_rsa b/roles/lib_sftp/files/id_rsa
new file mode 100644
index 0000000000..d0c341d2ca
--- /dev/null
+++ b/roles/lib_sftp/files/id_rsa
@@ -0,0 +1,89 @@
+$ANSIBLE_VAULT;1.1;AES256
+31333266363035343163646565353339626631643030363135393632326563326637323236343962
+6434346230346234376438616639636365623663333232640a376135386566646365373231316539
+33663839363837653265353631643166616635643666373036373332343665663264663433306439
+3333383138363662660a626664333035656265376664656537656634323736383638303466323466
+35373737343439383263303931643964313438313435643130376632323039323635333535363762
+34353033393065653964363630656133396362336561376339633163666564313835626639326463
+31663761373535303264383936343833333337346136393166373533633364383666353264623135
+33623333663662333836616530343063366134396637616132613062333230646430333431363937
+30303633613236323632363530636636616464396265643330393465356264646263333837646538
+61343962333534323237346663373835346563343966653736383334323530366164333933346466
+36326532316463326137303635333362663862313062613831366232636262376634396462393438
+64383363353966356338633638623536393536396635366434376535373262343938326137313436
+39333430306137613263353561636162316233356630363638386665633435376439633762646437
+64623233343735663935363336663932646463393837313265613839653539323738633431303266
+37616238623336353332633763363161383337343531353932643564623564336161633765633966
+64663263346261346166636237333432623866636338353262653338356236663839623039326131
+33616163386532373839316163323433666563663766306435306133663038376138313566656264
+62353162383232633761313763363762386532393838623763363436366232393466313033636538
+34316365613632306630636235613730323434303734393764356430333136613466613932653733
+61313735323161626235376566613939306531356263303830663436333131616531313133336231
+38376336626636643237653636643135326165336435336332393661313862386232366539343065
+30363966373734356562623539633165376239623737646665383332313861373062633866313530
+30656532303761333236663834343662613462623762303564316338653261623736343636306538
+34366466303130316537626334306562346134653263663430353433366262343761666432366531
+66303066353461386331336539303436376362636564616234646664363536643933666565616434
+39663239356137613363313662336531656635313937326531396461633035653536303037653033
+65333931643734363136333661303432616663346538356266343536326165616534363163663034
+30333761646164653134356533353231656662353132623263306332303832626432393339356366
+32303761643664653632366362383732343362643863626162326633393538636335616333613034
+38613064363663373263393034353030656333383166623966613062393561613964663765356662
+61656532633663336432626363363434356565386463346637343434373834643331366132626433
+61396637663733633338636137636634633331653635343863316132656638613863343039383931
+31356530306138303231306531386534643330366636616533373736393266336337386233653632
+33653266393736353261636430633533336634366632656261333436313439616665313865363938
+35616636303139663765393434396331646164303830663165613562333239346530383164343634
+33356466313164623462326532353237306238323930643037646263653661373339333138303839
+61353765336139636133666266613038646238313139313064653936383934656639393834613830
+38666566623030383839653732383038656266623532303432386264353438646237383832666232
+35386133343738323736303532323937666563303636343635633930643563323936663663396630
+38643136323536306438313238343533336333306131346233333430666333656632346561666165
+64316333633630656638313137363434366531333730336163633064373638343162326664396232
+35633831663761303232393964303132326637363763366234336632353638316664383365366565
+39333435623836383532643365656564336137623534356631366633386262306663333432653066
+32656165616136633837643735396432313065323761356465303266396132663662376133613731
+31336631313431303538306136653165326135383037323532363737623662353131663135303564
+62316266356535383061396165393466623034393633336537623537663466656633353230626538
+32323261323462363034313036643238363036656662646565613433356330656335383465633466
+34363834633932386234386563326137376165356137393034363330646466663262613035653465
+61316239643032373237336163336535616434353036613835313563626134333132653536306339
+62373663343463306439326363376431663236346364636539373262663637353162373930356238
+33626136636566613135373037346265343837323935626339313835333761393463356461326234
+32303330306163333031613065386437346432303933343866326466623062313763306233353832
+36633437643765633062646366613231366266353363626263623532333566396266623035353039
+61363665306362623264346464326361306139633936333033663538663663383135633634666464
+62303035396661353463336166333736653230396361326430316138653833663362303039313838
+34343930633163393132323863333863613565663161623165303238336362613036393636643934
+35386331366537356264633861653432643933623765616263383432363138633434623933366362
+63326266336238643563653030656161323336616533336131393732326363366363653965633131
+62626266653065636131396237323734386465376163626439323064396462373239623566353932
+31303434333735613236363561323736393633633534343932623362653632326632333366323331
+62313765366236346364613231663436343333656335323033393732346664656663666462633562
+38323031643537343831643736393966303231626561316466386133656664636239383430616538
+62353938653333633961303465333035666564366361363234323737623536666239653139666261
+34333265636239666330363632376163373339386531313966623937663966656534656136363264
+62623437376335313036663733623636633339393136613163626164643666363233643334636139
+30623130356235383063376261313839633133663461613133373065333066303763613434336135
+37383366313266366330386265373433396535363665346166626637336566623437363932356239
+66363636316233346162643631363135613637633030393939353562313630336464653938303839
+65666464653562383736396464303132373830353930653266643966373661356337396563356263
+33623062303835613332633836613461626462636230636563343230613132323034393265636130
+66333361366265303562356366393065333763316132343163393534663264613032336663363137
+30646530303233343863316439323165383938633764646264353663653264363636656132326436
+61646231356264303131323862373363323066373434356662613762663831396231306334626132
+64643464653731613633343738393763396462346236633164363432376639333738333638653666
+35656364396165346565313431333435633531383937663734666464363130653664356261616465
+31393933333133366339633837613732663236633261303635353766323764653663616361613964
+32393833326132656364356237626632336135393632356465656336383765643663333734396230
+31333138633430356434623062333134626462636562346633303864343833393061396166666239
+62313165636133333732383665353163613934313935386636663735666130656539383034396235
+62663361376330643365313364343233663831383562373764393732613765366233373337613730
+66376331616137386135656164356161626663643934346634613632646563393763613663303230
+33316331363362353536396361393534343138313433323966636630353930323438396435613362
+62633961303439383330336535636265323366626237656639666432393635616266376266373036
+34343439323666373736643663373733333465373962323361306239656534306635346366336266
+34616234323737343831386133336161323739663230393933633463356532333965316462343463
+66376334313832326361653563383862353963666135353563333866383932643364306566386461
+66383535346631646533363633326563653835306631613336366234613136633935666264376332
+32653965323364653365
diff --git a/roles/lib_sftp/files/id_rsa.pub b/roles/lib_sftp/files/id_rsa.pub
new file mode 100644
index 0000000000..035c21e320
--- /dev/null
+++ b/roles/lib_sftp/files/id_rsa.pub
@@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCZqYSBvYhs/yMGWyakVUPMEqRWBfgnFkZsuRH1nwi7kaiFOEgpRCgsdn6PXd8vZmBf7bcqQNKuJ5xr2aUj3zmWmpFB+wEMZge2Jn5CI4MpAWtRDtoARIdG2uxoIa83/8GPN0H5SIp3pPbviCB9YroGWjz8EJsoqPqrGoFS1L5cSUO72e/RBRGJlhzdJjm/JDUV/vXnn2MlteX4Wak0DYBNnNn+F0/o0XZ78tb9XZxNZj1worFzn06XpIrJEVDToDb4ueSjuojgRsm+iFUxOSAwKfZpjVFmr6iom8qDbiZZoxdjImttHC+JIZBzbAwMG9B4EE5j4ZKN7OjxlLRmzv+7
diff --git a/roles/lib_sftp/handlers/main.yml b/roles/lib_sftp/handlers/main.yml
new file mode 100644
index 0000000000..7bdcd5ec7d
--- /dev/null
+++ b/roles/lib_sftp/handlers/main.yml
@@ -0,0 +1,2 @@
+---
+# handlers file for sftp
diff --git a/roles/lib_sftp/meta/main.yml b/roles/lib_sftp/meta/main.yml
new file mode 100644
index 0000000000..942739a810
--- /dev/null
+++ b/roles/lib_sftp/meta/main.yml
@@ -0,0 +1,19 @@
+---
+galaxy_info:
+  role_name: lib_sftp
+  company: Princeton University Library
+  description: Lib_SFTP
+  author: pulibrary
+
+  license: MIT
+
+  min_ansible_version: 2.9
+
+  platforms:
+    - name: Ubuntu
+      versions:
+        - jammy
+dependencies:
+  - role: "common"
+  - role: "deploy_user"
+  - role: sssd_ad
diff --git a/roles/lib_sftp/molecule/default/converge.yml b/roles/lib_sftp/molecule/default/converge.yml
new file mode 100644
index 0000000000..46c5e3d29f
--- /dev/null
+++ b/roles/lib_sftp/molecule/default/converge.yml
@@ -0,0 +1,15 @@
+---
+- name: Converge
+  hosts: all
+  vars:
+    - running_on_server: false
+  become: true
+  pre_tasks:
+    - name: Update cache
+      ansible.builtin.apt:
+        update_cache: true
+        cache_valid_time: 600
+  tasks:
+    - name: "Include lib_sftp"
+      ansible.builtin.include_role:
+        name: lib_sftp
diff --git a/roles/lib_sftp/molecule/default/molecule.yml b/roles/lib_sftp/molecule/default/molecule.yml
new file mode 100644
index 0000000000..fc1de4aea1
--- /dev/null
+++ b/roles/lib_sftp/molecule/default/molecule.yml
@@ -0,0 +1,22 @@
+---
+scenario:
+  name: default
+driver:
+  name: docker
+lint: |
+  set -e
+  yamllint .
+  ansible-lint
+platforms:
+  - name: instance
+    image: "ghcr.io/pulibrary/pul_containers:jammy_multi"
+    command: "sleep infinity"
+    volumes:
+      - /sys/fs/cgroup:/sys/fs/cgroup:ro
+    privileged: true
+    pre_build_image: true
+provisioner:
+  name: ansible
+  log: true
+verifier:
+  name: ansible
diff --git a/roles/lib_sftp/molecule/default/verify.yml b/roles/lib_sftp/molecule/default/verify.yml
new file mode 100644
index 0000000000..f46ffdb870
--- /dev/null
+++ b/roles/lib_sftp/molecule/default/verify.yml
@@ -0,0 +1,37 @@
+---
+- name: Verify lib_sftp configuration
+  hosts: all
+  become: true
+  tasks:
+
+    - name: Lib_sftp | Verify alma directories exist
+      ansible.builtin.stat:
+        path: "{{ item }}"
+      register: alma_dirs
+      loop:
+        - "/alma/bursar"
+        - "/alma/datasync_processing"
+        - "/alma/fund_adjustment"
+        - "/alma/invoice_status"
+        - "/alma/invoices"
+        - "/alma/people"
+        - "/alma/pod"
+        - "/alma/publishing"
+        - "/alma/recap"
+        - "/alma/scsb_renewals"
+
+    - name: Lib_sftp | Assert alma directories exist
+      ansible.builtin.assert:
+        that:
+          - alma_dirs.results | map(attribute='stat.isdir') | all(item=True)
+          - alma_dirs.results | map(attribute='stat.exists') | all(item=True)
+
+    - name: Lib_sftp | Verify aspace directory exists
+      ansible.builtin.stat:
+        path: /alma/aspace
+      register: aspace_dir
+
+    - name: Lib_sftp | Assert aspace directory exists
+      ansible.builtin.assert:
+        that:
+          - aspace_dirs.results | map(attribute='stat.isdir') | all(item=True)
diff --git a/roles/lib_sftp/tasks/main.yml b/roles/lib_sftp/tasks/main.yml
new file mode 100644
index 0000000000..2223b0bae9
--- /dev/null
+++ b/roles/lib_sftp/tasks/main.yml
@@ -0,0 +1,44 @@
+---
+# tasks file for lib_sftp
+- name: Lib_sftp | create local group for alma
+  ansible.builtin.group:
+    name: "sambashare"
+    state: present
+
+- name: Lib_sftp | create alma directory drop
+  ansible.builtin.file:
+    path: "{{ item }}"
+    state: directory
+    recurse: true
+    owner: "{{ almasftp_user }}"
+    group: "sambashare"
+    mode: "0755"
+  loop:
+    - "/alma/bursar"
+    - "/alma/datasync_processing"
+    - "/alma/fund_adjustment"
+    - "/alma/invoice_status"
+    - "/alma/invoices"
+    - "/alma/people"
+    - "/alma/pod"
+    - "/alma/publishing"
+    - "/alma/recap"
+    - "/alma/scsb_renewals"
+
+- name: Lib_sftp | grant {{ deploy_user }} access to alma directory
+  ansible.builtin.user:
+    name: "{{ deploy_user }}"
+    group: "sambashare"
+    append: true
+
+- name: Lib_sftp | create aspace directory drop
+  ansible.builtin.file:
+    path: /alma/aspace
+    state: directory
+    recurse: true
+    owner: "{{ aspaceftp_user }}"
+    group: "sambashare"
+    mode: "0755"
+
+- name: Lib_sftp | Flush handlers to be able to use SSSD authentication
+  ansible.builtin.meta: flush_handlers
diff --git a/roles/lib_sftp/tests/inventory b/roles/lib_sftp/tests/inventory
new file mode 100644
index 0000000000..878877b077
--- /dev/null
+++ b/roles/lib_sftp/tests/inventory
@@ -0,0 +1,2 @@
+localhost
+
diff --git a/roles/lib_sftp/tests/test.yml b/roles/lib_sftp/tests/test.yml
new file mode 100644
index 0000000000..6d994c4d5a
--- /dev/null
+++ b/roles/lib_sftp/tests/test.yml
@@ -0,0 +1,5 @@
+---
+- hosts: localhost
+  remote_user: root
+  roles:
+    - sftp
diff --git a/roles/lib_sftp/vars/main.yml b/roles/lib_sftp/vars/main.yml
new file mode 100644
index 0000000000..1bd3d98280
--- /dev/null
+++ b/roles/lib_sftp/vars/main.yml
@@ -0,0 +1,2 @@
+---
+# vars file for sftp
diff --git a/roles/sssd_ad/handlers/main.yml b/roles/sssd_ad/handlers/main.yml
index 27fcc03379..11a1ffc8a8 100644
--- a/roles/sssd_ad/handlers/main.yml
+++ b/roles/sssd_ad/handlers/main.yml
@@ -1,11 +1,21 @@
 ---
 # handlers file sssd_ad
+- name: restart smb
+  ansible.builtin.service:
+    name: smbd
+    state: restarted
+
 - name: restart sshd
   ansible.builtin.service:
     name: sshd
     state: restarted
 
-- name: restart sssd
-  service:
+- name: restart SSSD
+  ansible.builtin.service:
     name: sssd
     state: restarted
+
+- name: Restart systemd-resolved
+  ansible.builtin.service:
+    name: systemd-resolved
+    state: restarted
diff --git a/roles/sssd_ad/tasks/main.yml b/roles/sssd_ad/tasks/main.yml
index 7de4cc15a6..4fd74474dc 100644
--- a/roles/sssd_ad/tasks/main.yml
+++ b/roles/sssd_ad/tasks/main.yml
@@ -1,125 +1,84 @@
 ---
-# Windows Active Directory has a limit of hostname characters
-- name: Sssd_ad | change hostname to match AD
-  ansible.builtin.command: hostnamectl set-hostname {{ host_ad_name | default(omit) }}
-  changed_when: false
-  when:
-    - running_on_server
-
-- name: Sssd_ad | allow password authentication
-  ansible.builtin.lineinfile:
-    path: /etc/ssh/sshd_config
-    state: present
-    regexp: '^PasswordAuthentication no'
-    line: 'PasswordAuthentication yes'
-
-- name: Sssd_ad | allow users authentication
-  ansible.builtin.lineinfile:
-    path: /etc/ssh/sshd_config
-    state: present
-    regexp: '^AllowUsers pulsys'
-    line: '# AllowUsers pulsys'
-  when: running_on_server
-  notify: restart sshd
-
-- name: Sssd_ad | install necessary packages
+- name: Sssd_ad | Ensure required packages are installed
   ansible.builtin.apt:
     name: "{{ item }}"
     state: present
-    update_cache: true
   loop:
     - adcli
     - krb5-user
     - libnss-sss
     - libpam-sss
+    - ldap-utils
+    - oddjob
+    - oddjob-mkhomedir
+    - packagekit
+    - realmd
     - sssd
     - sssd-tools
+    - samba-common-bin
 
-- name: Sssd_ad | configure Kerberos
-  ansible.builtin.blockinfile:
-    path: /etc/krb5.conf
-    mode: "0644"
-    create: true
-    block: |
-      [logging]
-        default = FILE:/var/log/krb5libs.log
-        kdc = FILE:/var/log/krb5kdc.log
-        admin_server = FILE:/var/log/kadmind.log
-
-      [libdefaults]
-        dns_lookup_realm = false
-        dns_lookup_kdc = true
-        ticket_lifetime = 24h
-        renew_lifetime = 7d
-        forwardable = true
-        rdns = false
-        default_realm = {{ ad_domain | upper }}
-        default_ccache_name = KEYRING:persistent:%{uid}
+- name: Sssd_ad | set domain on interface
+  ansible.builtin.command: resolvectl domain {{ ansible_default_ipv4.interface }} {{ ad_domain }}
+  register: resolvectl_result
+  changed_when: "'Successfully' in resolvectl_result.stderr or ad_domain in resolvectl_result.stdout"
+  notify: Restart systemd-resolved
+  when: running_on_server
 
-      [realms]
-        {{ ad_domain | upper }} = {
-          kdc = {{ ad_domain_controller }}
-          admin_server = {{ ad_domain_controller }}
-        }
+- name: Sssd_ad | kerberos for TLS
+  ansible.builtin.template:
+    src: krb5.conf.j2
+    dest: /etc/krb5.conf
+    owner: root
+    group: root
+    mode: "0644"
 
-      [domain_realm]
-        .{{ ad_domain | lower }} = {{ ad_domain | upper }}
-        {{ ad_domain | lower }} = {{ ad_domain | upper }}
+- name: Sssd_ad | Configure realmd for TLS
+  ansible.builtin.template:
+    src: realmd.conf.j2
+    dest: /etc/realmd.conf
+    owner: root
+    group: root
+    mode: "0644"
 
-- name: Sssd_ad | create sssd.conf
+- name: Sssd_ad | Configure sssd for TLS
   ansible.builtin.template:
     src: sssd.conf.j2
     dest: /etc/sssd/sssd.conf
-    mode: "0644"
+    owner: root
+    group: root
+    mode: "0600"
 
-- name: Sssd_ad | enable and start sssd service
-  ansible.builtin.service:
-    name: sssd
-    state: started
-    enabled: true
-  register: sssd_service
-  when: running_on_server
-
-- name: Sssd_ad | join the domain
-  ansible.builtin.command: realm join {{ ad_domain }} -U {{ ad_admin_user }} --install=/
-  environment:
-    KRB5_CONFIG: /etc/krb5.conf
-  changed_when: false
-  when: running_on_server
+- name: Sssd_ad | Configure OpenLDAP for TLS
+  ansible.builtin.template:
+    src: ldap.conf.j2
+    dest: /etc/ldap/ldap.conf
+    owner: root
+    group: root
+    mode: "0644"
 
-- name: Sssd_ad | verify domain join
-  ansible.builtin.command: realm list
-  register: realm_list
+- name: Sssd_ad | Update CA certificates
+  ansible.builtin.command: update-ca-certificates
   changed_when: false
+  when: ad_ldap_cert is defined
+
+# - name: Sssd_ad | set up keytab
+#  ansible.builtin.include_tasks: kerberoskey.yml
+  #  when: running_on_server
+  #
+- name: Sssd_ad | Join the AD domain using TLS
+  ansible.builtin.command: realm join --user={{ ad_admin_user }} {{ ad_domain }} --install=/
+  register: realm_join_result
+  changed_when: "'Successfully enrolled machine in realm' in realm_join_result.stdout or 'already enrolled' in realm_join_result.stderr_lines"
+  ignore_errors: true
   when: running_on_server
 
-- name: Sssd_ad | debug realm list output
+- name: Sssd_ad | Display realm join result
   ansible.builtin.debug:
-    var: realm_list.stdout
-  when: running_on_server
-
-- name: Sssd_ad | configure PAM
-  ansible.builtin.lineinfile:
-    path: /etc/pam.d/common-session
-    line: 'session required pam_mkhomedir.so skel=/etc/skel umask=0022'
-
-- name: Sssd_ad | create home directory for AD users
-  ansible.builtin.file:
-    path: /home/{{ ad_test_user }}
-    state: directory
-    mode: "0700"
-    owner: "{{ ad_test_user }}"
-    group: "{{ ad_test_user }}"
+    var: realm_join_result.stdout
   when: running_on_server
 
-- name: Sssd_ad | test login with AD user
-  ansible.builtin.command: su - {{ ad_test_user }} -c 'exit 0'
-  changed_when: false
-  ignore_errors: true  # Ignore errors if the user cannot log in yet
-  register: ad_login_result
-  when: running_on_server
-
-- name: Sssd_ad | debug AD login result
-  ansible.builtin.debug:
-    var: ad_login_result
-  when: running_on_server
+- name: Sssd_ad | Restart SSSD service
+  ansible.builtin.service:
+    name: sssd
+    state: restarted
+    enabled: true
diff --git a/roles/sssd_ad/templates/krb5.conf.j2 b/roles/sssd_ad/templates/krb5.conf.j2
new file mode 100644
index 0000000000..ba49dcb066
--- /dev/null
+++ b/roles/sssd_ad/templates/krb5.conf.j2
@@ -0,0 +1,18 @@
+[libdefaults]
+    udp_preference_limit = 0
+    default_realm = {{ ad_domain | upper }}
+    dns_lookup_realm = true
+    dns_lookup_kdc = true
+    ticket_lifetime = 24h
+    renew_lifetime = 7d
+    forwardable = true
+
+[realms]
+    {{ ad_realm }} = {
+        kdc = {{ ad_domain }}
+        admin_server = {{ ad_domain }}
+      }
+
+[domain_realm]
+    .{{ ad_domain }} = {{ ad_realm }}
+    {{ ad_domain }} = {{ ad_realm }}
diff --git a/roles/sssd_ad/templates/ldap.conf.j2 b/roles/sssd_ad/templates/ldap.conf.j2
new file mode 100644
index 0000000000..2bf92476bc
--- /dev/null
+++ b/roles/sssd_ad/templates/ldap.conf.j2
@@ -0,0 +1,4 @@
+# {{ ansible_managed | comment }}
+TLS_CACERT /etc/ssl/certs/ca-certificates.crt
+URI {{ ad_ldap_uri }}
+
diff --git a/roles/sssd_ad/templates/realmd.conf.j2 b/roles/sssd_ad/templates/realmd.conf.j2
new file mode 100644
index 0000000000..2e5d985aa4
--- /dev/null
+++ b/roles/sssd_ad/templates/realmd.conf.j2
@@ -0,0 +1,15 @@
+# {{ ansible_managed | comment }}
+[active-directory]
+default-client-use-tls = yes
+
+[service]
+automatic-id-mapping = no
+client-software = sssd
+fully-qualified-names = yes
+automatic-install = no
+
+[{{ ad_domain }}]
+fully-qualified-names = yes
+automatic-id-mapping = no
+default-client-use-tls = yes
+
diff --git a/roles/sssd_ad/templates/sssd.conf.j2 b/roles/sssd_ad/templates/sssd.conf.j2
index 4235fa67a3..fe8d5c3b0e 100644
--- a/roles/sssd_ad/templates/sssd.conf.j2
+++ b/roles/sssd_ad/templates/sssd.conf.j2
@@ -1,26 +1,23 @@
-# {{ ansible_managed | comment }}
 [sssd]
 domains = {{ ad_domain }}
 config_file_version = 2
 services = nss, pam
 
 [domain/{{ ad_domain }}]
-ad_domain = {{ ad_domain }}
-krb5_realm = {{ ad_domain | upper }}
-realmd_tags = manages-system joined-with-samba
+default_shell = /usr/bin/bash
+krb5_store_password_if_offline = True
 cache_credentials = True
+krb5_realm = {{ ad_realm }}
+realmd_tags = manages-system joined-with-adcli
 id_provider = ad
-krb5_store_password_if_offline = True
-default_shell = /usr/bin/bash
-ldap_id_mapping = True   
-
-use_fully_qualified_names = True
-fallback_homedir = /home/%u   
-
+fallback_homedir = /home/%u%d
+ad_domain = {{ ad_domain }}
+use_fully_qualified_names = False
+ldap_id_mapping = True
+ldap_network_timeout = 3
+timeout = 10
+enumerate = false
 access_provider = ad
+ldap_tls_cacert = /etc/ssl/certs/ca-certificates.crt
+ldap_uri = {{ ad_ldap_uri }}
 
-[nss]
-filter_users = root,named,avahi,nscd
-
-[pam]
-offline_credentials_expiration = 0
diff --git a/roles/sssd_ad/vars/main.yml b/roles/sssd_ad/vars/main.yml
index 3aca227cdc..8b16336c6f 100644
--- a/roles/sssd_ad/vars/main.yml
+++ b/roles/sssd_ad/vars/main.yml
@@ -1,2 +1,7 @@
 ---
 # vars file for system_ldap
+ad_domain: "pu.win.princeton.edu"
+ad_realm: "PU.WIN.PRINCETON.EDU"
+ad_admin_user: "doas-libsftp"
+ad_ldap_cert: "/etc/ssl/certs/ca-certificates.crt"
+ad_ldap_uri: "ldaps://pu.win.princeton.edu"