diff --git a/consul/configuration/chat/synapse/homeserver.yaml b/consul/configuration/chat/synapse/homeserver.yaml
index 9e0e97f..c54d4a0 100644
--- a/consul/configuration/chat/synapse/homeserver.yaml
+++ b/consul/configuration/chat/synapse/homeserver.yaml
@@ -378,7 +378,7 @@ password_providers:
   - module: "ldap_auth_provider.LdapAuthProvider"
     config:
       enabled: true
-      uri: "ldap://bottin.service.2.cluster.deuxfleurs.fr:389"
+      uri: "ldap://bottin2.service.2.cluster.deuxfleurs.fr:389"
       start_tls: false
       bind_dn: '{{ key "secrets/chat/synapse/ldap_binddn" | trimSpace }}'
       bind_password: '{{ key "secrets/chat/synapse/ldap_bindpw" | trimSpace }}'
diff --git a/consul/configuration/directory/bottin/config.json b/consul/configuration/directory/bottin/config.json
index ca49922..93d95c9 100644
--- a/consul/configuration/directory/bottin/config.json
+++ b/consul/configuration/directory/bottin/config.json
@@ -9,6 +9,7 @@
 		"cn=admin,dc=deuxfleurs,dc=fr::read add modify delete:*:*",
 		"*:cn=admin,ou=groups,dc=deuxfleurs,dc=fr:read add modify delete:*:*",
 		"ANONYMOUS::bind:*,ou=users,dc=deuxfleurs,dc=fr:",
-		"ANONYMOUS::bind:cn=admin,dc=deuxfleurs,dc=fr:"
+		"ANONYMOUS::bind:cn=admin,dc=deuxfleurs,dc=fr:",
+		"*,ou=services,ou=users,dc=deuxfleurs,dc=fr::bind:*,ou=users,dc=deuxfleurs,dc=fr:*"
   ]
 }
diff --git a/consul/configuration/email/dovecot/dovecot-ldap.conf.sample b/consul/configuration/email/dovecot/dovecot-ldap.conf.tpl
similarity index 62%
rename from consul/configuration/email/dovecot/dovecot-ldap.conf.sample
rename to consul/configuration/email/dovecot/dovecot-ldap.conf.tpl
index 4848d6e..9fb1ea6 100644
--- a/consul/configuration/email/dovecot/dovecot-ldap.conf.sample
+++ b/consul/configuration/email/dovecot/dovecot-ldap.conf.tpl
@@ -1,6 +1,6 @@
-hosts = bottin.service.2.cluster.deuxfleurs.fr
-dn = cn=<username>,dc=deuxfleurs,dc=fr
-dnpass = <password>
+hosts = bottin2.service.2.cluster.deuxfleurs.fr
+dn = {{ key "secrets/email/dovecot/ldap_binddn" | trimSpace }}
+dnpass = {{ key "secrets/email/dovecot/ldap_bindpwd" | trimSpace }}
 base = dc=deuxfleurs,dc=fr
 scope = subtree
 user_filter = (&(mail=%u)(&(objectClass=inetOrgPerson)(memberOf=cn=email,ou=groups,dc=deuxfleurs,dc=fr)))
diff --git a/consul/configuration/email/postfix/ldap-account.cf.sample b/consul/configuration/email/postfix/ldap-account.cf.sample
deleted file mode 100644
index 1b90252..0000000
--- a/consul/configuration/email/postfix/ldap-account.cf.sample
+++ /dev/null
@@ -1,12 +0,0 @@
-bind = yes
-bind_dn = cn=<user>,dc=deuxfleurs,dc=fr
-bind_pw = <secret>
-version = 3
-timeout = 20
-start_tls = no
-tls_require_cert = no
-server_host = ldap://bottin.service.2.cluster.deuxfleurs.fr
-scope = sub
-search_base = ou=users,dc=deuxfleurs,dc=fr
-query_filter = mail=%s
-result_attribute = mail
diff --git a/consul/configuration/email/postfix/ldap-account.cf.tpl b/consul/configuration/email/postfix/ldap-account.cf.tpl
new file mode 100644
index 0000000..2575f10
--- /dev/null
+++ b/consul/configuration/email/postfix/ldap-account.cf.tpl
@@ -0,0 +1,12 @@
+bind = yes
+bind_dn = {{ key "secrets/email/postfix/ldap_binddn" | trimSpace }}
+bind_pw = {{ key "secrets/email/postfix/ldap_bindpwd" | trimSpace }}
+version = 3
+timeout = 20
+start_tls = no
+tls_require_cert = no
+server_host = ldap://bottin2.service.2.cluster.deuxfleurs.fr
+scope = sub
+search_base = ou=users,dc=deuxfleurs,dc=fr
+query_filter = mail=%s
+result_attribute = mail
diff --git a/consul/configuration/email/postfix/ldap-alias.cf.sample b/consul/configuration/email/postfix/ldap-alias.cf.tpl
similarity index 52%
rename from consul/configuration/email/postfix/ldap-alias.cf.sample
rename to consul/configuration/email/postfix/ldap-alias.cf.tpl
index 8ed3361..775c0ad 100644
--- a/consul/configuration/email/postfix/ldap-alias.cf.sample
+++ b/consul/configuration/email/postfix/ldap-alias.cf.tpl
@@ -1,9 +1,9 @@
-server_host = bottin.service.2.cluster.deuxfleurs.fr
+server_host = bottin2.service.2.cluster.deuxfleurs.fr
 server_port = 389
 search_base = dc=deuxfleurs,dc=fr
 query_filter = (&(objectClass=inetOrgPerson)(memberOf=cn=%s,ou=mailing_lists,ou=groups,dc=deuxfleurs,dc=fr))
 result_attribute = mail
 bind = yes
-bind_dn = cn=<someone>,dc=deuxfleurs,dc=fr
-bind_pw = <password>
+bind_dn = {{ key "secrets/email/postfix/ldap_binddn" | trimSpace }}
+bind_pw = {{ key "secrets/email/postfix/ldap_bindpwd" | trimSpace }}
 version = 3
diff --git a/consul/configuration/email/sogo/sogo.conf.tpl b/consul/configuration/email/sogo/sogo.conf.tpl
index bb13a83..0b87db7 100644
--- a/consul/configuration/email/sogo/sogo.conf.tpl
+++ b/consul/configuration/email/sogo/sogo.conf.tpl
@@ -60,7 +60,7 @@
         bindFields = (cn, mail);
         canAuthenticate = YES;
         displayName = "Bottin";
-        hostname = "ldap://bottin.service.2.cluster.deuxfleurs.fr:389";
+        hostname = "ldap://bottin2.service.2.cluster.deuxfleurs.fr:389";
         id = bottin;
         isAddressBook = NO;
     }
diff --git a/man/init_stolon/README.md b/man/init_stolon/README.md
index fe3a912..618530a 100644
--- a/man/init_stolon/README.md
+++ b/man/init_stolon/README.md
@@ -29,3 +29,30 @@ chown -R 102:102 /mnt/storage/postgres/
 It might be improved by staying with root, then chmoding in an entrypoint and finally switching to user 102 before executing user's command.
 Moreover it would enable the usage of the user namespace that shift the UIDs.
 
+
+
+## Upgrading the cluster
+
+To retreive the current stolon config:
+
+```
+stolonctl spec --cluster-name pissenlit --store-backend consul --store-endpoints http://consul.service.2.cluster.deuxfleurs.fr:8500
+```
+
+The important part for the LDAP:
+
+```
+{
+	"pgHBA": [
+		"host all postgres all md5",
+		"host replication replicator all md5",
+		"host all all all ldap ldapserver=bottin.service.2.cluster.deuxfleurs.fr ldapbasedn=\"ou=users,dc=deuxfleurs,dc=fr\" ldapbinddn=\"cn=admin,dc=deuxfleurs,dc=fr\" ldapbindpasswd=\"<REDACTED>\" ldapsearchattribute=\"cn\""
+	]
+}
+```
+
+Once a patch is writen:
+
+```
+stolonctl --cluster-name pissenlit --store-backend consul --store-endpoints http://consul.service.2.cluster.deuxfleurs.fr:8500 update --patch -f /tmp/patch.json
+```
diff --git a/nomad/bottin2.hcl b/nomad/bottin2.hcl
index 5a1fa12..6221d71 100644
--- a/nomad/bottin2.hcl
+++ b/nomad/bottin2.hcl
@@ -12,7 +12,7 @@ job "directory2" {
     task "bottin" {
       driver = "docker"
       config {
-        image = "lxpz/bottin_amd64:8"
+        image = "lxpz/bottin_amd64:10"
         readonly_rootfs = true
         port_map {
           ldap_port = 1389
@@ -61,7 +61,7 @@ job "directory2" {
     task "guichet" {
       driver = "docker"
       config {
-        image = "lxpz/guichet_amd64:2"
+        image = "lxpz/guichet_amd64:3"
         readonly_rootfs = true
         port_map {
           web_port = 9991
diff --git a/nomad/email.hcl b/nomad/email.hcl
index 1d5c8c1..d5cdc83 100644
--- a/nomad/email.hcl
+++ b/nomad/email.hcl
@@ -131,6 +131,17 @@ job "email" {
         }
       }
 
+      artifact {
+        source = "http://127.0.0.1:8500/v1/kv/configuration/email/dovecot/dovecot-ldap.conf.tpl?raw"
+        destination = "secrets/conf/dovecot-ldap.conf.tpl"
+        mode = "file"
+      }
+      template {
+        source = "secrets/conf/dovecot-ldap.conf.tpl"
+        destination = "secrets/conf/dovecot-ldap.conf"
+        perms = "400"
+      }
+
       template {
         data = "{{ key \"configuration/email/dovecot/dovecot.crt\" }}"
         destination = "secrets/ssl/certs/dovecot.crt"
@@ -141,11 +152,6 @@ job "email" {
         destination = "secrets/ssl/private/dovecot.key"
         perms = "400"
       }
-      template {
-        data = "{{ key \"configuration/email/dovecot/dovecot-ldap.conf\" }}"
-        destination = "secrets/conf/dovecot-ldap.conf"
-        perms = "400"
-      }
     }
   }
 
@@ -328,6 +334,27 @@ job "email" {
         }
       }
 
+      artifact {
+        source = "http://127.0.0.1:8500/v1/kv/configuration/email/postfix/ldap-account.cf.tpl?raw"
+        destination = "secrets/postfix/ldap-account.cf.tpl"
+        mode = "file"
+      }
+      template {
+        source = "secrets/postfix/ldap-account.cf.tpl"
+        destination = "secrets/postfix/ldap-account.cf"
+      }
+
+      artifact {
+        source = "http://127.0.0.1:8500/v1/kv/configuration/email/postfix/ldap-alias.cf.tpl?raw"
+        destination = "secrets/postfix/ldap-alias.cf.tpl"
+        mode = "file"
+      }
+      template {
+        source = "secrets/postfix/ldap-alias.cf.tpl"
+        destination = "secrets/postfix/ldap-alias.cf"
+      }
+
+
       template {
         data = "{{ key \"configuration/email/postfix/postfix.crt\" }}"
         destination = "secrets/ssl/certs/postfix.crt"
@@ -346,14 +373,6 @@ job "email" {
         data = "{{ key \"configuration/email/postfix/header_checks\" }}"
         destination = "secrets/postfix/header_checks"
       }
-      template {
-        data = "{{ key \"configuration/email/postfix/ldap-account.cf\" }}"
-        destination = "secrets/postfix/ldap-account.cf"
-      }
-      template {
-        data = "{{ key \"configuration/email/postfix/ldap-alias.cf\" }}"
-        destination = "secrets/postfix/ldap-alias.cf"
-      }
       template {
         data = "{{ key \"configuration/email/postfix/main.cf\" }}"
         destination = "secrets/postfix/main.cf"