diff --git a/apps/fnux-playground/README.md b/apps/fnux-playground/README.md
index c8c71ef..c406b84 100644
--- a/apps/fnux-playground/README.md
+++ b/apps/fnux-playground/README.md
@@ -9,6 +9,9 @@ image](https://github.com/osixia/docker-openldap). A TLS certificate is
 automatically generated via Let'sEncrypt, but renewal is not handled yet.
 
 TODO: handle TLS certificate renewal.
+NOTE: replication with the osixia image is somewhat broken, see:
+	https://github.com/osixia/docker-openldap/issues/203
+	-> Worked around the issue with https://github.com/ungleich/docker-openldap/commit/3c7c9ece1e67bce0bfe1fdb66a63f5c8c59359f4
 
 ```
 kubectl create secret generic ldap1-openldap --from-literal=LDAP_ADMIN_PASSWORD=secretsecretsectet
diff --git a/apps/fnux-playground/ldap1.fnux-playground.yaml b/apps/fnux-playground/ldap1.fnux-playground.yaml
deleted file mode 100644
index 9026f01..0000000
--- a/apps/fnux-playground/ldap1.fnux-playground.yaml
+++ /dev/null
@@ -1,6 +0,0 @@
-clusterDomain: "c1.k8s.ooo"
-
-# See https://www.openldap.org/doc/admin24/slapdconf2.html section 5.2.1.2;
-ldapLogLevel: "256"
-ldapOrganisation: "ungleich glarus ag"
-ldapDomain: "ungleich.ch"
diff --git a/apps/fnux-playground/ldapN.fnux-playground.yaml b/apps/fnux-playground/ldapN.fnux-playground.yaml
new file mode 100644
index 0000000..da29629
--- /dev/null
+++ b/apps/fnux-playground/ldapN.fnux-playground.yaml
@@ -0,0 +1,10 @@
+clusterDomain: "c1.k8s.ooo"
+
+ldap:
+  # See https://www.openldap.org/doc/admin24/slapdconf2.html section 5.2.1.2;
+  logLevel: "256"
+  oganisation: "ungleich glarus ag"
+  domain: "ungleich.ch"
+  adminPasswordSecretRef: "ldap-openldap"
+  enableReplication: "true"
+  replicationHosts: "#PYTHON2BASH:['ldaps://ldap1.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }}','ldaps://ldap2.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }}']"
diff --git a/apps/fnux-playground/openldap/Chart.yaml b/apps/fnux-playground/openldap/Chart.yaml
index 1b45324..137d4fc 100644
--- a/apps/fnux-playground/openldap/Chart.yaml
+++ b/apps/fnux-playground/openldap/Chart.yaml
@@ -21,4 +21,4 @@ version: 0.1.0
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "1.5.0"
+appVersion: "1.5.0-serverid-hostname-fallback-2"
diff --git a/apps/fnux-playground/openldap/templates/deployment.yaml b/apps/fnux-playground/openldap/templates/deployment.yaml
index 7bd9e91..ca9be71 100644
--- a/apps/fnux-playground/openldap/templates/deployment.yaml
+++ b/apps/fnux-playground/openldap/templates/deployment.yaml
@@ -30,8 +30,8 @@ spec:
               mountPath: /etc/letsencrypt
       containers:
         - name: "openldap"
-          image: "osixia/openldap:{{ .Chart.AppVersion }}"
-          args: ["--loglevel", "debug"]
+          image: "ungleich/openldap:{{ .Chart.AppVersion }}"
+          args: ["--loglevel", "trace"]
           ports:
             - name: ldap
               containerPort: 389
@@ -53,16 +53,21 @@ spec:
             - name: HOSTNAME
               value: "{{ tpl .Values.fqdn . }}"
             - name: LDAP_LOG_LEVEL
-              value: "{{ tpl .Values.ldapLogLevel . }}"
+              value: "{{ tpl .Values.ldap.logLevel . }}"
             - name: LDAP_ORGANISATION
-              value: "{{ tpl .Values.ldapOrganisation . }}"
+              value: "{{ tpl .Values.ldap.organisation . }}"
             - name: LDAP_DOMAIN
-              value: "{{ tpl .Values.ldapDomain . }}"
+              value: "{{ tpl .Values.ldap.domain . }}"
             - name: LDAP_ADMIN_PASSWORD
               valueFrom:
                 secretKeyRef:
-                  name: "{{ tpl .Values.ldapAdminPasswordSecretRef . }}"
-                  key: "{{ tpl .Values.ldapAdminPasswordSecretKey . }}"
+                  name: "{{ tpl .Values.ldap.adminPasswordSecretRef . }}"
+                  key: "{{ tpl .Values.ldap.adminPasswordSecretKey . }}"
+            - name: LDAP_CONFIG_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ tpl .Values.ldap.adminPasswordSecretRef . }}"
+                  key: "{{ tpl .Values.ldap.adminPasswordSecretKey . }}"
             - name: LDAP_TLS_CRT_FILENAME
               value: "live/{{ tpl .Values.fqdn . }}/cert.pem"
             - name: LDAP_TLS_KEY_FILENAME
@@ -71,6 +76,14 @@ spec:
               value: "live/{{ tpl .Values.fqdn . }}/fullchain.pem"
             - name: LDAP_TLS_VERIFY_CLIENT
               value: "try"
+            - name: LDAP_REPLICATION
+              value: "{{ .Values.ldap.enableReplication }}"
+            - name: LDAP_REPLICATION_HOSTS
+              value: "{{ tpl .Values.ldap.replicationHosts . }}"
+            - name: LDAP_REPLICATION_CONFIG_SYNCPROV
+              value: "{{ tpl .Values.ldap.replicationConfigSyncprov . }}"
+            - name: LDAP_REPLICATION_DB_SYNCPROV
+              value: "{{ tpl .Values.ldap.replicationDbSyncprov . }}"
           volumeMounts:
             - name: "{{ tpl .Values.identifier . }}-openldap-data"
               mountPath: "/etc/ldap/slapd.d"
@@ -111,7 +124,7 @@ spec:
             value: "{{ tpl .Values.fqdn . }}"
           - name: EMAIL
             value: "{{ .Values.letsencryptEmail }}"
-          {{ if eq .Values.letsencryptStaging "no" }}
+          {{ if not .Values.letsencryptStaging }}
           - name: STAGING
             value: "no"
           {{ end }}
diff --git a/apps/fnux-playground/openldap/values.yaml b/apps/fnux-playground/openldap/values.yaml
index f0c48f9..52e9196 100644
--- a/apps/fnux-playground/openldap/values.yaml
+++ b/apps/fnux-playground/openldap/values.yaml
@@ -2,13 +2,18 @@ clusterDomain: "c1.k8s.ooo"
 fqdn: "{{ .Release.Name }}.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }}"
 identifier: "{{ .Release.Name }}"
 
-# See https://www.openldap.org/doc/admin24/slapdconf2.html section 5.2.1.2;
-ldapLogLevel: "256"
-ldapOrganisation: "ungleich glarus ag"
-ldapDomain: "{{ tpl .Values.fqdn . }}"
-ldapAdminPasswordSecretRef: "{{ tpl .Values.identifier . }}-openldap"
-ldapAdminPasswordSecretKey: "LDAP_ADMIN_PASSWORD"
+ldap:
+  # See https://www.openldap.org/doc/admin24/slapdconf2.html section 5.2.1.2;
+  logLevel: "256"
+  organisation: "ungleich glarus ag"
+  domain: "{{ tpl .Values.fqdn . }}"
+  adminPasswordSecretRef: "{{ tpl .Values.identifier . }}-openldap"
+  adminPasswordSecretKey: "LDAP_ADMIN_PASSWORD"
+  enableReplication: false
+  replicationHosts: ""
+  replicationConfigSyncprov: 'binddn=\"cn=admin,cn=config\" bindmethod=simple credentials=$$LDAP_CONFIG_PASSWORD searchbase=\"cn=config\" type=refreshAndPersist retry=\"60 +\" timeout=1 starttls=no'
+  replicationDbSyncprov: 'binddn=\"cn=admin,$$LDAP_BASE_DN\" bindmethod=simple credentials=$$LDAP_ADMIN_PASSWORD searchbase=\"$$LDAP_BASE_DN\" type=refreshAndPersist interval=00:00:00:10 retry=\"60 +\" timeout=1 starttls=no'
 
 # TLS certificate generation.
 letsencryptEmail: "technik@ungleich.ch"
-letsencryptStaging: "no"
+letsencryptStaging: false