diff --git a/defaults/main.yml b/defaults/main.yml
index 030ba07..21701ce 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -17,6 +17,9 @@ rabbitmq_cluster_list:
   - rabbitmq02.rockylinux.org
   - rabbitmq03.rockylinux.org
 rabbitmq_env: "default"
+rabbitmq_ldap_servers:
+  - ipa001.rockylinux.org
+  - ipa002.rockylinux.org
 
 # You can override this in your playbooks as well
 rabbitmq_plugins:
diff --git a/tasks/federation.yml b/tasks/federation.yml
index a417cd9..bba29e2 100644
--- a/tasks/federation.yml
+++ b/tasks/federation.yml
@@ -5,7 +5,7 @@
   run_once: true
   delegate_to: "{{ rabbitmq_cluster_list[0] }}"
   community.rabbitmq.rabbitmq_user:
-    user: "rockypublic"
+    user: rockypubsub
     permissions:
       - vhost:
         configure_priv: "^(\\w{8}(-\\w{4}){3}-\\w{12})$"
@@ -40,7 +40,7 @@
   community.rabbitmq.rabbitmq_parameter:
     component: "federation-upstream"
     name: "pubsub-to-public_pubsub"
-    value: '{"uri": "amqps://pubsub_federation:@{{ rabbitmq_cluster_list[0]  }}/%2Fpubsub?cacertfile=%2Fetc%2Fipa%2Fca.crt&certfile=%2Fetc%2Frabbitmq%2Fpubsub_federation.pem&keyfile=%2Fetc%2Frabbitmq%2Fpubsub_federation.key&verify=verify_peer&fail_if_no_peer_cert=true&server_name_indication=disabled&auth_mechanism=external", "ack-mode": "on-confirm"}'
+    value: 'novalue'
     state: present
     vhost: /public_pubsub
   when: rabbitmq_enable_public
diff --git a/tasks/main.yml b/tasks/main.yml
index a4e9792..730a9fc 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -8,6 +8,10 @@
 - name: Deploy RabbitMQ configuration
   template:
     src: "etc/rabbitmq/{{ item }}.j2"
+    dest: "etc/rabbitmq/{{ item }}"
+    owner: rabbitmq
+    group: rabbitmq
+    mode: '0644'
 
 - name: Deploy erlang cookie
   copy:
@@ -23,10 +27,16 @@
   file:
     path: /etc/systemd/system/rabbitmq-server.service.d
     state: directory
+    owner: root
+    group: root
+    mode: '0755'
 
 - name: Override nofile limit for RabbitMQ
   copy:
     dest: /etc/systemd/system/rabbitmq-server.service.d/99-override.conf
+    owner: root
+    group: root
+    mode: '0644'
     content: |
       [Service]
       LimitNOFILE={{ rabbitmq_cluster_file_limit }}
@@ -36,6 +46,22 @@
     names: "{{ rabbitmq_plugins | join(',') }}"
     state: enabled
 
+- name: Open applicable firewall rules
+  ansible.posix.firewalld:
+    port: "{{ item }}"
+    permanent: true
+    state: enabled
+    immediate: true
+  loop:
+    - 1883/tcp
+    - 4369/tcp
+    - 5671/tcp
+    - 5672/tcp
+    - 8883/tcp
+    - 15672/tcp
+    - 25672/tcp
+    - 35672-35682/tcp
+
 - name: Ensure RabbitMQ is running
   service:
     name: rabbitmq-server
diff --git a/tasks/users.yml b/tasks/users.yml
index 88f3227..e4365bd 100644
--- a/tasks/users.yml
+++ b/tasks/users.yml
@@ -13,9 +13,9 @@
     user: rockyadmin
     password: "{{ rabbitmq_admin_password }}"
     vhost: "{{ item }}"
-    configure_priv: .*
-    read_priv: .*
-    write_priv: .*
+    configure_priv: ".*"
+    read_priv: ".*"
+    write_priv: ".*"
     tags: administrator
   when: inventory_hostname.startswith('rabbitmq01')
   with_items:
diff --git a/templates/etc/rabbitmq/rabbitmq.conf.j2 b/templates/etc/rabbitmq/rabbitmq.conf.j2
new file mode 100644
index 0000000..759fc0b
--- /dev/null
+++ b/templates/etc/rabbitmq/rabbitmq.conf.j2
@@ -0,0 +1,46 @@
+listeners.ssl.default = 5671
+listeners.tcp.default = 5672
+
+num_acceptors.tcp = 10
+num_acceptors.ssl = 10
+
+reverse_dns_lookups = true
+
+rabbitmq_tls_ca_cert: "/etc/pki/tls/certs/ca-bundle.crt"
+rabbitmq_tls_cert: "/etc/pki/tls/certs/{{ ansible_fqdn  }}.crt"
+rabbitmq_tls_key: "/etc/pki/tls/private/{{ ansible_fqdn  }}.key"
+
+ssl_options.verify               = verify_peer
+ssl_options.fail_if_no_peer_cert = false
+ssl_options.cacertfile           = {{ rabbitmq_tls_ca_cert }}
+ssl_options.certfile             = {{ rabbitmq_tls_cert }}
+ssl_options.keyfile              = {{ rabbitmq_tls_key }}
+
+# Authentication Backends
+auth_backends.1.authn = ldap
+auth_backends.1.authz = internal
+auth_backends.2       = internal
+auth_mechanisms.1     = PLAIN
+auth_mechanisms.2     = EXTERNAL
+auth_mechanisms.3     = AMQPLAIN
+
+ssl_cert_login_from   = common_name
+auth_ldap.dn_lookup_bind.user_dn  = {{ rocky_ldap_bind_dn }}
+auth_ldap.dn_lookup_bind.password = {{ rocky_ldap_bind_pw }}
+auth_ldap.dn_lookup_attribute     = uid
+auth_ldap.dn_lookup_base          = {{ rocky_ldap_account_basedn }}
+auth_ldap.port                    = 389
+{% for ldapsrv in rabbitmq_ldap_servers %}
+auth_ldap.servers.{{ loop.index }} = {{ ldapsrv }}
+{% endfor %}
+
+cluster_name = {{ rabbitmq_cluster_name }}
+password_hashing_module = rabbit_password_hashing_sha256
+
+uster_partition_handling    = autoheal
+cluster_formation.node_type = disc
+
+product.name    = RockyMQ!
+product.version = 0.0.1
+
+disk_free_limit.relative = 2.0