diff --git a/seed/applicationservice/2022.03.08/dovecot/dictionaries/22_dovecot.xml b/seed/applicationservice/2022.03.08/dovecot/dictionaries/26_dovecot.xml
similarity index 98%
rename from seed/applicationservice/2022.03.08/dovecot/dictionaries/22_dovecot.xml
rename to seed/applicationservice/2022.03.08/dovecot/dictionaries/26_dovecot.xml
index fff7eca5..c711bea9 100644
--- a/seed/applicationservice/2022.03.08/dovecot/dictionaries/22_dovecot.xml
+++ b/seed/applicationservice/2022.03.08/dovecot/dictionaries/26_dovecot.xml
@@ -86,6 +86,9 @@
       <variable name='external_imap_key' type="filename" hidden='True' multi='True'/>
     </family>
     <family name="nginx">
+      <variable name="nginx_default_https" redefine="True">
+        <value>False</value>
+      </variable>
       <variable name="revprox_client_external_domainnames" redefine="True" mandatory="False"/>
       <family name="revprox_client">
         <variable name="revprox_client_location" redefine="True" mandatory="False">
diff --git a/seed/applicationservice/2022.03.08/gitea/dictionaries/31_gitea.xml b/seed/applicationservice/2022.03.08/gitea/dictionaries/31_gitea.xml
index 2a22d6ee..8855276f 100644
--- a/seed/applicationservice/2022.03.08/gitea/dictionaries/31_gitea.xml
+++ b/seed/applicationservice/2022.03.08/gitea/dictionaries/31_gitea.xml
@@ -89,7 +89,7 @@
       <param name="length" type="number">43</param>
       <target>gitea_lfs_jwt_secret</target>
     </fill>
-    <fill name="calc_oauth2_client_external">
+    <fill name="calc_oauth2_client_login">
       <param type="variable" optional="True">revprox_client_external_domainnames</param>
       <param type="variable" optional="True">revprox_client_location</param>
       <param>user/oauth2/</param>
diff --git a/seed/applicationservice/2022.03.08/lemonldap/dictionaries/70_lemonldap_ng.xml b/seed/applicationservice/2022.03.08/lemonldap/dictionaries/70_lemonldap_ng.xml
index 816e2aaa..9532c815 100644
--- a/seed/applicationservice/2022.03.08/lemonldap/dictionaries/70_lemonldap_ng.xml
+++ b/seed/applicationservice/2022.03.08/lemonldap/dictionaries/70_lemonldap_ng.xml
@@ -22,6 +22,11 @@
     </service>
   </services>
   <variables>
+    <family name="nginx">
+      <variable name="nginx_default_https" redefine="True">
+        <value>False</value>
+      </variable>
+    </family>
     <family name="lemonldap" description="LemonLDAP" help="Configuration de la solution d'authentification unique LemonLDAP::NG">
       <variable name="lemon_proc" type="number" description="Nombre de processus dédié à LemonLdap (équivalent au nombre de processeurs)" mandatory="True">
         <value>1</value>
@@ -33,7 +38,15 @@
         <variable name='ldapclient_family' redefine="True">
           <value>all</value>
         </variable>
+        <variable name='ldapclient_group_dn' type='string' description="Base DN de l'annuaire des groupes" mandatory="False"/>
       </family>
     </family>
   </variables>
+  <constraints>
+    <fill name="get_linked_configuration">
+      <param name="linked_server" type="variable">ldap_server_address</param>
+      <param name="linked_provider">ldap_group</param>
+      <target>ldapclient_group_dn</target>
+    </fill>
+  </constraints>
 </rougail>
diff --git a/seed/applicationservice/2022.03.08/lemonldap/extras/oauth2/00_oauth2.xml b/seed/applicationservice/2022.03.08/lemonldap/extras/oauth2/00_oauth2.xml
index 7c72c61d..924ef09e 100644
--- a/seed/applicationservice/2022.03.08/lemonldap/extras/oauth2/00_oauth2.xml
+++ b/seed/applicationservice/2022.03.08/lemonldap/extras/oauth2/00_oauth2.xml
@@ -2,17 +2,15 @@
 <rougail version="0.10">
   <variables>
     <variable name="remotes" description="Remote clients needing to verify OAuth2 account" type="domainname" multi="True" provider="oauth2"/>
-    <family name="oauth2_" description="OAuth2 for" dynamic="oauth2.remotes">
-      <variable name="secret_" description="Remote secret for" type="password" mandatory="True" hidden="True" provider="oauth2_secret"/>
-      <variable name="name_" description="Remote name for" hidden="True" provider="oauth2_name"/>
-      <variable name="description_" description="Remote description for" hidden="True" provider="oauth2_description"/>
+    <family name="oauth2_" description="OAuth2 for " dynamic="oauth2.remotes">
+      <variable name="secret_" description="Remote secret for " type="password" mandatory="True" hidden="True" provider="oauth2_secret"/>
+      <variable name="name_" description="Remote name for " hidden="True" provider="oauth2_name"/>
+      <variable name="description_" description="Remote description for " hidden="True" provider="oauth2_description"/>
       <variable name="category_" hidden="True" provider="oauth2_category"/>
       <variable name="login_" description="Remote URL to login" hidden="True" provider="oauth2_login"/>
       <family name="external_" leadership="True">
-        <variable name="hosts_" description="Remote external for" provider="oauth2_external" multi="True"/>
-        <variable name="family_" hidden="True" provider="oauth2_family">
-          <value>users</value>
-        </variable>
+        <variable name="hosts_" description="Remote external for " provider="oauth2_external" multi="True"/>
+        <variable name="family_" hidden="True" provider="oauth2_family"/>
       </family>
       <variable name="logo_" hidden="True" provider="oauth2_logo"/>
       <variable name="token_signature_algo_" type="choice" description="OAuth2 token signature algorithm" mandatory='True' hidden="True" provider="oauth2_token_signature_algo">
@@ -21,15 +19,5 @@
       </variable>
     </family>
   </variables>
-  <constraints>
-    <fill name="get_password">
-      <param name="server_name" type="variable">domain_name_eth0</param>
-      <param name="username" type="suffix"/>
-      <param name="description">remote</param>
-      <param name="type">cleartext</param>
-      <param name="hide" type="variable">hide_secret</param>
-      <target>oauth2.oauth2_.secret_</target>
-    </fill>
-  </constraints>
 </rougail>
 
diff --git a/seed/applicationservice/2022.03.08/lemonldap/templates/lmConf-1.json b/seed/applicationservice/2022.03.08/lemonldap/templates/lmConf-1.json
index 832fe91c..c7dd06fd 100644
--- a/seed/applicationservice/2022.03.08/lemonldap/templates/lmConf-1.json
+++ b/seed/applicationservice/2022.03.08/lemonldap/templates/lmConf-1.json
@@ -22,7 +22,7 @@ commentStartToken = §
       "givenName" : "givenName",
       "home" : "homeDirectory"
    },
-   "ldapGroupBase" : "%%ldapclient_base_dn",
+   "ldapGroupBase" : "%%ldapclient_group_dn",
    "ldapGroupAttributeName" : "member",
    "ldapGroupAttributeNameUser" : "cn",
    "ldapGroupAttributeNameGroup" : "dn",
@@ -72,8 +72,7 @@ commentStartToken = §
      },
      "%%domain" : {
         "^/logout" : "logout_sso",
-§ FIXME       "default" : "$groups eq %%external['family_' + %%key]"
-        "default" : "accept"
+        "default" : "$groups eq \"%%external['family_' + %%key]\""
 %%domains.append(%%domain)%slurp
    %end if
   %end for
diff --git a/seed/applicationservice/2022.03.08/lemonldap/templates/portal-nginx.conf b/seed/applicationservice/2022.03.08/lemonldap/templates/portal-nginx.conf
index 9ab815cf..1ec0e3a4 100644
--- a/seed/applicationservice/2022.03.08/lemonldap/templates/portal-nginx.conf
+++ b/seed/applicationservice/2022.03.08/lemonldap/templates/portal-nginx.conf
@@ -15,24 +15,24 @@ upstream llng_portal_upstream {
     server unix:/var/run/llng-fastcgi-server/llng-fastcgi.sock;
 }
 
-server {
-  listen 127.0.0.1:80;
-  server_name localhost;
-  root /usr/share/lemonldap-ng/portal/htdocs/;
-  if ($uri !~ ^/((static|javascript|favicon|.internal-well-known).*|.*\.psgi)) {
-    rewrite ^/(.*)$ /index.psgi/$1 break;
-  }
-  location ~ ^(?<sc>/.*\.psgi)(?:$|/) {
-    include /etc/nginx/fastcgi_params;
-    fastcgi_pass llng_portal_upstream;
-    fastcgi_param REQUEST_URI /.well-known/openid-configuration;
-    fastcgi_param HTTP_HOST %%domain_name_eth0;
-    fastcgi_param LLTYPE psgi;
-    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-    fastcgi_split_path_info ^(.*\.psgi)(/.*)$;
-    fastcgi_param PATH_INFO  $fastcgi_path_info;
-  }
-}
+# GNUNUX server {
+# GNUNUX   listen 127.0.0.1:80;
+# GNUNUX   server_name localhost;
+# GNUNUX   root /usr/share/lemonldap-ng/portal/htdocs/;
+# GNUNUX   if ($uri !~ ^/((static|javascript|favicon|.internal-well-known).*|.*\.psgi)) {
+# GNUNUX     rewrite ^/(.*)$ /index.psgi/$1 break;
+# GNUNUX   }
+# GNUNUX   location ~ ^(?<sc>/.*\.psgi)(?:$|/) {
+# GNUNUX     include /etc/nginx/fastcgi_params;
+# GNUNUX     fastcgi_pass llng_portal_upstream;
+# GNUNUX     fastcgi_param REQUEST_URI /.well-known/openid-configuration;
+# GNUNUX     fastcgi_param HTTP_HOST %%domain_name_eth0;
+# GNUNUX     fastcgi_param LLTYPE psgi;
+# GNUNUX     fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+# GNUNUX     fastcgi_split_path_info ^(.*\.psgi)(/.*)$;
+# GNUNUX     fastcgi_param PATH_INFO  $fastcgi_path_info;
+# GNUNUX   }
+# GNUNUX }
 
 server {
   # GNUNUX listen 80;
diff --git a/seed/applicationservice/2022.03.08/mailman/dictionaries/31_mailman.xml b/seed/applicationservice/2022.03.08/mailman/dictionaries/31_mailman.xml
index 1c71bb94..b7055029 100644
--- a/seed/applicationservice/2022.03.08/mailman/dictionaries/31_mailman.xml
+++ b/seed/applicationservice/2022.03.08/mailman/dictionaries/31_mailman.xml
@@ -65,7 +65,7 @@
     <fill name="calc_oauth2_client_external">
       <param type="variable">revprox_client_external_domainnames</param>
       <param type="variable">revprox_client_location</param>
-      <param>/accounts/risotto/login/</param>
+      <param>accounts/risotto/login/</param>
       <target>oauth2_client_external</target>
     </fill>
   </constraints>
diff --git a/seed/applicationservice/2022.03.08/nginx-common/dictionaries/20_nginx.xml b/seed/applicationservice/2022.03.08/nginx-common/dictionaries/20_nginx.xml
index 70bab6ec..2279a56b 100644
--- a/seed/applicationservice/2022.03.08/nginx-common/dictionaries/20_nginx.xml
+++ b/seed/applicationservice/2022.03.08/nginx-common/dictionaries/20_nginx.xml
@@ -11,19 +11,22 @@
       <file engine="none" source="sysusers.nginx.conf" filelist="nginx_fedora">/sysusers.d/nginx.conf</file>
       <file source="tmpfiles.nginx.conf">/tmpfiles.d/nginx.conf</file>
       <file file_type="variable" source="ca_InternalReverseProxy.crt">revprox_ca_file</file>
-      <file filelist="nginx_https" mode="600">/etc/pki/tls/certs/nginx.crt</file>
-      <file filelist="nginx_https" mode="600">/etc/pki/tls/private/nginx.key</file>
+      <file filelist="nginx_default_https" mode="600">/etc/pki/tls/certs/nginx.crt</file>
+      <file filelist="nginx_default_https" mode="600">/etc/pki/tls/private/nginx.key</file>
     </service>
   </services>
   <variables>
     <family name="nginx" description="NGINX" help="Paramétrage global de NGINX">
+      <variable name="nginx_default_http" type="boolean" description="Activer la gestion du répertoire default.d en HTTP sur le serveur" mandatory='True' hidden="True">
+        <value>False</value>
+      </variable>
+      <variable name="nginx_default_https" type="boolean" description="Activer la gestion du répertoire default.d en HTTPS sur le serveur" mandatory='True' hidden="True">
+        <value>False</value>
+      </variable>
       <variable name="nginx_default" type="domainname" description="Nom de domaine du serveur mandataire inverse par défaut" help="Si un client accède au serveur avec un nom de domaine non déclaré, le flux est redirigé vers ce domaine" mandatory='False'/>
       <variable name="nginx_root" type="filename" mandatory='False'>
         <value>/usr/share/nginx/html</value>
       </variable>
-      <variable name="nginx_https" type="boolean" description="Activer HTTPS sur le serveur" mandatory='True' hidden="True">
-        <value>False</value>
-      </variable>
       <variable name="nginx_hash_bucket_size" description="Longueur maximum pour un nom de domaine" mode="expert" type="choice">
         <value>128</value>
         <choice type="string">128</choice>
@@ -40,14 +43,17 @@
     <condition name="disabled_if_not_in" source="os_name">
       <param>Fedora</param>
       <target type="filelist">nginx_fedora</target>
+      <target>nginx_default</target>
+      <target>nginx_default_http</target>
+      <target>nginx_default_https</target>
     </condition>
     <condition name="disabled_if_in" source="nginx_default">
       <param type="nil"/>
       <target type="filelist">nginx_default</target>
     </condition>
-    <condition name="disabled_if_in" source="nginx_https">
+    <condition name="disabled_if_in" source="nginx_default_https">
       <param type="boolean">False</param>
-      <target type="filelist">nginx_https</target>
+      <target type="filelist">nginx_default_https</target>
     </condition>
     <fill name="calc_value">
       <param type="variable">tls_ca_directory</param>
diff --git a/seed/applicationservice/2022.03.08/nginx-common/templates/nginx.conf b/seed/applicationservice/2022.03.08/nginx-common/templates/nginx.conf
index 9d4ecd95..758cb4de 100644
--- a/seed/applicationservice/2022.03.08/nginx-common/templates/nginx.conf
+++ b/seed/applicationservice/2022.03.08/nginx-common/templates/nginx.conf
@@ -52,7 +52,7 @@ http {
     # for more information.
     include /etc/nginx/conf.d/*.conf;
 %if %%os_name == 'Fedora'
- %if %%nginx_default
+ %if %%nginx_default_http
     server {
         listen       80;
         listen       [::]:80;
@@ -73,7 +73,7 @@ http {
  %end if
 # Settings for a TLS enabled server.
 #
- %if %%nginx_https
+ %if %%nginx_default_https
     server {
         listen       443 ssl http2;
         server_name  %%domain_name_eth0;
diff --git a/seed/applicationservice/2022.03.08/nginx-https/dictionaries/25_nginx.xml b/seed/applicationservice/2022.03.08/nginx-https/dictionaries/25_nginx.xml
index 65ec9bb6..f908f0b5 100644
--- a/seed/applicationservice/2022.03.08/nginx-https/dictionaries/25_nginx.xml
+++ b/seed/applicationservice/2022.03.08/nginx-https/dictionaries/25_nginx.xml
@@ -7,7 +7,7 @@
   </services>
   <variables>
     <family name="nginx">
-      <variable name="nginx_https" redefine="True">
+      <variable name="nginx_default_https" redefine="True">
         <value>True</value>
       </variable>
       <variable name="php_fpm_user" redefine="True" exists="True">
diff --git a/seed/applicationservice/2022.03.08/nginx-reverse-proxy/dictionaries/25_nginx.xml b/seed/applicationservice/2022.03.08/nginx-reverse-proxy/dictionaries/25_nginx.xml
index 910feb89..515ff0b9 100644
--- a/seed/applicationservice/2022.03.08/nginx-reverse-proxy/dictionaries/25_nginx.xml
+++ b/seed/applicationservice/2022.03.08/nginx-reverse-proxy/dictionaries/25_nginx.xml
@@ -18,6 +18,9 @@
     </family>
     <family name="nginx" description="NGINX" help="Paramétrage global de NGINX">
       <variable name="nginx_default" redefine="True" mandatory="True"/>
+      <variable name="nginx_default_http" redefine="True">
+        <value>True</value>
+      </variable>
       <variable name="revprox_domainnames" type="domainname" description="Nom des domaines à configurer dans le serveur mandataire inverse" help="Liste des domaines gérés par le serveur mandataire inverse" multi="True"/>
       <variable name="revprox_domainnames_auto" type="domainname" description="Nom des domaines auto-configurés dans le serveur mandataire inverse" multi="True" provider="revprox_clients" hidden="True"/>
       <variable name="revprox_domainnames_all" type="domainname" description="Tous les noms de domaines" multi="True" hidden="True"/>
diff --git a/seed/applicationservice/2022.03.08/oauth2-client/dictionaries/30_oauth2_client.xml b/seed/applicationservice/2022.03.08/oauth2-client/dictionaries/30_oauth2_client.xml
index ffc384a7..9d3d0bcb 100644
--- a/seed/applicationservice/2022.03.08/oauth2-client/dictionaries/30_oauth2_client.xml
+++ b/seed/applicationservice/2022.03.08/oauth2-client/dictionaries/30_oauth2_client.xml
@@ -8,7 +8,7 @@
       </variable>
       <variable name="oauth2_client_name" description="OAuth2 client name" mandatory='True'/>
       <variable name="oauth2_client_description" description="OAuth2 client description" mandatory='True'/>
-      <variable name="oauth2_client_login" type="web_address" description="OAuth2 URL to valid login" multi="True"/>
+      <variable name="oauth2_client_login" type="web_address" description="OAuth2 URL to valid login"/>
       <family name="external">
         <variable name="oauth2_client_external" type="web_address" description="OAuth2 client external" mandatory='True' multi="True"/>
         <variable name="oauth2_client_family" description="OAuth2 family">
@@ -37,72 +37,44 @@
       <param>OAuth2</param>
       <target>oauth2_client_server_domainname</target>
     </fill>
-    <fill name="set_linked">
-      <param name="linked_server" type="variable">oauth2_client_server_domainname</param>
-      <param name="linked_provider">oauth2</param>
-      <param name="linked_value" type="variable">domain_name_eth0</param>
+    <fill name="normalize_family">
+      <param type="variable">domain_name_eth0</param>
       <target>oauth2_client_id</target>
     </fill>
-    <fill name="get_linked_configuration">
-      <param name="linked_server" type="variable">oauth2_client_server_domainname</param>
-      <param name="linked_provider">oauth2_secret</param>
-      <param name="dynamic" type="variable">oauth2_client_id</param>
+    <fill name="get_password">
+      <param name="server_name" type="variable">domain_name_eth0</param>
+      <param name="username" type="variable">oauth2_client_id</param>
+      <param name="description">remote</param>
+      <param name="type">cleartext</param>
+      <param name="hide" type="variable">hide_secret</param>
       <target>oauth2_client_secret</target>
     </fill>
-    <fill name="get_linked_configuration">
-      <param name="linked_server" type="variable">oauth2_client_server_domainname</param>
-      <param name="linked_provider">external_domainname</param>
+    <fill name="set_linked_multi_variables">
+      <param type="variable">oauth2_client_server_domainname</param>
+      <param name="linked_value_0" type="variable">domain_name_eth0</param>
+      <param name="linked_provider_0">oauth2</param>
+      <param name="linked_value_1" type="variable">oauth2_client_secret</param>
+      <param name="linked_provider_1">oauth2_secret</param>
+      <param name="linked_value_2" type="variable" propertyerror="False">oauth2_client_name</param>
+      <param name="linked_provider_2">oauth2_name</param>
+      <param name="linked_value_3" type="variable" propertyerror="False">oauth2_client_description</param>
+      <param name="linked_provider_3">oauth2_description</param>
+      <param name="linked_value_4" type="variable" propertyerror="False">oauth2_client_external</param>
+      <param name="linked_provider_4">oauth2_external</param>
+      <param name="linked_value_5" type="variable" propertyerror="False">oauth2_client_family</param>
+      <param name="linked_provider_5">oauth2_family</param>
+      <param name="linked_value_6" type="variable">oauth2_client_category</param>
+      <param name="linked_provider_6">oauth2_category</param>
+      <param name="linked_value_7" type="variable">oauth2_client_logo</param>
+      <param name="linked_provider_7">oauth2_logo</param>
+      <param name="linked_value_8" type="variable">oauth2_client_login</param>
+      <param name="linked_provider_8">oauth2_login</param>
+      <param name="allow_none_8" type="boolean">True</param>
+      <param name="linked_value_9" type="variable">oauth2_client_token_signature_algo</param>
+      <param name="linked_provider_9">oauth2_token_signature_algo</param>
+      <param name="linked_returns">external_domainname</param>
       <target>oauth2_server_domainname</target>
     </fill>
-    <check name="set_linked_configuration">
-      <param name="linked_server" type="variable">oauth2_client_server_domainname</param>
-      <param name="linked_provider">oauth2_name</param>
-      <param name="dynamic" type="variable">oauth2_client_id</param>
-      <target>oauth2_client_name</target>
-    </check>
-    <check name="set_linked_configuration">
-      <param name="linked_server" type="variable">oauth2_client_server_domainname</param>
-      <param name="linked_provider">oauth2_description</param>
-      <param name="dynamic" type="variable">oauth2_client_id</param>
-      <target>oauth2_client_description</target>
-    </check>
-    <check name="set_linked_configuration">
-      <param name="linked_server" type="variable">oauth2_client_server_domainname</param>
-      <param name="linked_provider">oauth2_category</param>
-      <param name="dynamic" type="variable">oauth2_client_id</param>
-      <target>oauth2_client_category</target>
-    </check>
-    <check name="set_linked_configuration">
-      <param name="linked_server" type="variable">oauth2_client_server_domainname</param>
-      <param name="linked_provider">oauth2_external</param>
-      <param name="dynamic" type="variable">oauth2_client_id</param>
-      <target>oauth2_client_external</target>
-    </check>
-    <check name="set_linked_configuration">
-      <param name="linked_server" type="variable">oauth2_client_server_domainname</param>
-      <param name="linked_provider">oauth2_logo</param>
-      <param name="dynamic" type="variable">oauth2_client_id</param>
-      <target>oauth2_client_logo</target>
-    </check>
-    <check name="set_linked_configuration">
-      <param name="linked_server" type="variable">oauth2_client_server_domainname</param>
-      <param name="linked_provider">oauth2_family</param>
-      <param name="leader_provider">oauth2_external</param>
-      <param name="dynamic" type="variable">oauth2_client_id</param>
-      <target>oauth2_client_family</target>
-    </check>
-    <check name="set_linked_configuration">
-      <param name="linked_server" type="variable">oauth2_client_server_domainname</param>
-      <param name="linked_provider">oauth2_login</param>
-      <param name="dynamic" type="variable">oauth2_client_id</param>
-      <target>oauth2_client_login</target>
-    </check>
-    <check name="set_linked_configuration">
-      <param name="linked_server" type="variable">oauth2_client_server_domainname</param>
-      <param name="linked_provider">oauth2_token_signature_algo</param>
-      <param name="dynamic" type="variable">oauth2_client_id</param>
-      <target>oauth2_client_token_signature_algo</target>
-    </check>
     <fill name="calc_oauth2_client_external">
       <param type="variable" optional="True">revprox_client_external_domainnames</param>
       <param type="variable" optional="True">revprox_client_location</param>
diff --git a/seed/applicationservice/2022.03.08/oauth2-client/funcs/oauth2_client.py b/seed/applicationservice/2022.03.08/oauth2-client/funcs/oauth2_client.py
index 29b1f55f..47647fed 100644
--- a/seed/applicationservice/2022.03.08/oauth2-client/funcs/oauth2_client.py
+++ b/seed/applicationservice/2022.03.08/oauth2-client/funcs/oauth2_client.py
@@ -8,3 +8,18 @@ def calc_oauth2_client_external(external, location, *extras):
     if isinstance(external, list):
         return [f'https://{exter}{location[0]}' + ''.join(extras) for exter in external]
     return f'https://{external}{location[0]}' + ''.join(extras)
+
+
+def calc_oauth2_client_login(external, location, *extras):
+    if not external or not location or None in extras:
+        return
+    if isinstance(external, list):
+        return f'https://{external[0]}{location[0]}' + ''.join(extras)
+    return f'https://{external}{location[0]}' + ''.join(extras)
+
+
+@_multi_function
+def calc_oauth2_families(families: list) -> list:
+    def _calc_family(family):
+        return family if family else 'users'
+    return [_calc_family(family) for family in families]
diff --git a/seed/applicationservice/2022.03.08/openldap/dictionaries/21_openldap-server.xml b/seed/applicationservice/2022.03.08/openldap/dictionaries/21_openldap-server.xml
index 4354fb32..d0f712d5 100644
--- a/seed/applicationservice/2022.03.08/openldap/dictionaries/21_openldap-server.xml
+++ b/seed/applicationservice/2022.03.08/openldap/dictionaries/21_openldap-server.xml
@@ -75,7 +75,10 @@
         <variable name='ldapclient_user' redefine="True"/>
         <!--variable name='ldapclient_user_password' redefine="True"/-->
         <variable name='ldapclient_family' redefine="True" disabled="True"/>
-        <variable name='ldapclient_base_dn' redefine="True" mandatory="True" provider="ldap_dn"/>
+        <variable name='ldapclient_base_dn' redefine="True" mandatory="True" provider="ldap_dn"  description="Base DN"/>
+        <variable name='ldap_account_dn' type='string' description="Base DN de l'annuaire des utilisateurs" mandatory="True"/>
+        <variable name='ldap_user_dn' type='string' description="Base DN de l'annuaire des utilisateurs n'appartenant à une famille" mandatory="True"/>
+        <variable name='ldap_group_dn' type='string' description="Base DN de l'annuaire des groupes" mandatory="True" provider="ldap_group"/>
       </family>
     </family>
   </variables>
@@ -89,6 +92,20 @@
       <param type="variable">domain_name_eth0</param>
       <target>ldapclient_base_dn</target>
     </fill>
+    <fill name="calc_ldapclient_base_dn">
+      <param type="variable">ldapclient_base_dn</param>
+      <param name="base" type="boolean">True</param>
+      <target>ldap_account_dn</target>
+    </fill>
+    <fill name="calc_ldapclient_base_dn">
+      <param type="variable">ldapclient_base_dn</param>
+      <param name="group" type="boolean">True</param>
+      <target>ldap_group_dn</target>
+    </fill>
+    <fill name="calc_ldapclient_base_dn">
+      <param type="variable">ldapclient_base_dn</param>
+	  <target>ldap_user_dn</target>
+    </fill>
     <fill name='calc_value'>
       <param>cn=admin</param>
       <param type='variable'>ldapclient_base_dn</param>
diff --git a/seed/applicationservice/2022.03.08/openldap/templates/config_acl.ldif b/seed/applicationservice/2022.03.08/openldap/templates/config_acl.ldif
index 86e1c008..30123bd5 100644
--- a/seed/applicationservice/2022.03.08/openldap/templates/config_acl.ldif
+++ b/seed/applicationservice/2022.03.08/openldap/templates/config_acl.ldif
@@ -13,7 +13,7 @@ olcAccess: {0}to attrs=userPassword
     by self write
     by anonymous auth
     by * none
-olcAccess: {1}to dn.subtree="%%calc_ldapclient_base_dn(%%ldapclient_base_dn, family_name=None, group=True)"
+olcAccess: {1}to dn.subtree="%%ldap_group_dn"
 %for group in %%groups
     by dn="%%group" read
 %end for
@@ -21,7 +21,7 @@ olcAccess: {1}to dn.subtree="%%calc_ldapclient_base_dn(%%ldapclient_base_dn, fam
 %set %%aclidx = 2
 %for %%family, %%remotes in %%dns.items()
  %if %%family == 'all'
-olcAccess: {%%aclidx}to dn.subtree="%%calc_ldapclient_base_dn(%%ldapclient_base_dn, family_name=None, base=True)"
+olcAccess: {%%aclidx}to dn.subtree="%%ldap_account_dn"
  %else
 olcAccess: {%%aclidx}to dn.subtree="%%calc_ldapclient_base_dn(%%ldapclient_base_dn, %%family)"
  %end if
diff --git a/seed/applicationservice/2022.03.08/openldap/templates/users.ldif b/seed/applicationservice/2022.03.08/openldap/templates/users.ldif
index 76848136..03c6f1d3 100644
--- a/seed/applicationservice/2022.03.08/openldap/templates/users.ldif
+++ b/seed/applicationservice/2022.03.08/openldap/templates/users.ldif
@@ -23,13 +23,13 @@ objectClass: inetOrgPerson
 
 %end for
 # Accounts
-dn: %%calc_ldapclient_base_dn(%%ldapclient_base_dn, family_name=None, base=True)
+dn: %%ldap_account_dn
 ou: accounts
 objectClass: top
 objectClass: organizationalUnit
 
 ## Accounts users
-%set %%users = %%calc_ldapclient_base_dn(%%ldapclient_base_dn, family_name=None)
+%set %%users = %%ldap_user_dn
 dn: %%users
 ou: users
 objectClass: top
@@ -100,7 +100,7 @@ objectClass: inetLocalMailRecipient
   %end for
 %end for
 ## Groups
-%set %%groupdn = %%calc_ldapclient_base_dn(%%ldapclient_base_dn, family_name=None, group=True)
+%set %%groupdn = %%ldap_group_dn
 dn: %%groupdn
 ou: groups
 objectClass: top
diff --git a/seed/applicationservice/2022.03.08/openldap/templates/users_mod.ldif b/seed/applicationservice/2022.03.08/openldap/templates/users_mod.ldif
index 90427daf..9ff3b249 100644
--- a/seed/applicationservice/2022.03.08/openldap/templates/users_mod.ldif
+++ b/seed/applicationservice/2022.03.08/openldap/templates/users_mod.ldif
@@ -8,7 +8,7 @@ userPassword:: %%ssha_encode(%%accounts['remote_' + %%name]['password_' + %%name
 
 %end for
 # Users
-%set %%users = %%calc_ldapclient_base_dn(%%ldapclient_base_dn, '')
+%set %%users = %%ldap_user_dn
 %for %%user in %%accounts.users.ldap_user_mail
 dn: cn=%%user,%%users
 changetype: modify
diff --git a/seed/applicationservice/2022.03.08/postgresql-client/dictionaries/23_postgresql.xml b/seed/applicationservice/2022.03.08/postgresql-client/dictionaries/23_postgresql.xml
index b58a2c73..9a64f739 100644
--- a/seed/applicationservice/2022.03.08/postgresql-client/dictionaries/23_postgresql.xml
+++ b/seed/applicationservice/2022.03.08/postgresql-client/dictionaries/23_postgresql.xml
@@ -20,30 +20,24 @@
     </family>
   </variables>
   <constraints>
+    <fill name="normalize_family">
+      <param type="variable">domain_name_eth0</param>
+      <target>pg_client_username</target>
+    </fill>
     <fill name="get_provider_name">
       <param type="variable">zone_name_eth0</param>
       <param>Postgresql</param>
       <target>pg_client_server_domainname</target>
     </fill>
-    <fill name="set_linked">
-      <param name="linked_server" type="variable">pg_client_server_domainname</param>
-      <param name="linked_provider">clients</param>
-      <param name="linked_value" type="variable">domain_name_eth0</param>
-      <target>pg_client_username</target>
-    </fill>
-    <fill name="get_linked_configuration">
-      <param name="linked_server" type="variable">pg_client_server_domainname</param>
-      <param name="linked_provider">client_password</param>
-      <param name="dynamic" type="variable">pg_client_username</param>
+    <fill name="set_linked_multi_variables">
+      <param type="variable">pg_client_server_domainname</param>
+      <param name="linked_value_0" type="variable">domain_name_eth0</param>
+      <param name="linked_provider_0">clients</param>
+      <param name="linked_value_1" type="variable">ip_eth0</param>
+      <param name="linked_provider_1">client_ip</param>
+      <param name="linked_returns">client_password</param>
       <target>pg_client_password</target>
     </fill>
-    <check name="set_linked_configuration">
-      <param name="linked_server" type="variable">pg_client_server_domainname</param>
-      <param name="linked_provider">client_ip</param>
-      <param name="linked_value" type="variable">ip_eth0</param>
-      <param name="dynamic" type="variable">pg_client_username</param>
-      <target>pg_client_password</target>
-    </check>
     <fill name="calc_value">
       <param type="variable">pg_client_username</param>
       <target>pg_client_database</target>
diff --git a/seed/applicationservice/2022.03.08/roundcube/dictionaries/31_roundcube.xml b/seed/applicationservice/2022.03.08/roundcube/dictionaries/31_roundcube.xml
index 1250b6c3..a5afc3d7 100644
--- a/seed/applicationservice/2022.03.08/roundcube/dictionaries/31_roundcube.xml
+++ b/seed/applicationservice/2022.03.08/roundcube/dictionaries/31_roundcube.xml
@@ -39,6 +39,7 @@
       </variable>
       <family name="external">
         <variable name="oauth2_client_external" redefine="True" multi='True'/>
+	<variable name="oauth2_client_family" redefine="True" multi="True"/>
       </family>
     </family>
     <family name="nginx">
@@ -77,6 +78,10 @@
       <param type="variable">roundcube_domains</param>
       <target>revprox_client_external_domainnames</target>
     </fill>
+    <fill name="calc_oauth2_families">
+      <param type="variable">roundcube_family</param>
+      <target>oauth2_client_family</target>
+    </fill>
     <fill name="calc_roundcube_family">
       <param type="variable">roundcube_family</param>
       <target>ldapclient_family</target>