diff --git a/contrib/openldap/.dockerignore b/contrib/openldap/.dockerignore
new file mode 100644
index 0000000000000000000000000000000000000000..ec33ca8ced903407cc5b883df0b0421655670bde
--- /dev/null
+++ b/contrib/openldap/.dockerignore
@@ -0,0 +1,2 @@
+assets/*.docker
+assets/*.aci
diff --git a/contrib/openldap/.gitignore b/contrib/openldap/.gitignore
new file mode 100644
index 0000000000000000000000000000000000000000..7e2f179b52bfdb0e9106bcb5b92a123b3a347bd7
--- /dev/null
+++ b/contrib/openldap/.gitignore
@@ -0,0 +1 @@
+assets
diff --git a/contrib/openldap/Dockerfile b/contrib/openldap/Dockerfile
new file mode 100644
index 0000000000000000000000000000000000000000..bc9866035d7e96699c60c5d3a42e571288c7f3fa
--- /dev/null
+++ b/contrib/openldap/Dockerfile
@@ -0,0 +1,25 @@
+FROM alpine
+
+MAINTAINER eric.chiang@coreos.com
+
+# groll installs soelim, which is required by the build.
+
+RUN apk add --update alpine-sdk openssl-dev db-dev groff
+
+ADD assets/openldap-2.4.44 /openldap-2.4.44
+
+WORKDIR /openldap-2.4.44
+
+RUN ./configure
+
+RUN make depend
+
+RUN make
+
+RUN make install
+
+RUN apk del groff alpine-sdk
+
+ADD scripts/entrypoint.sh /entrypoint.sh
+
+ENTRYPOINT ["/entrypoint.sh"]
diff --git a/contrib/openldap/Makefile b/contrib/openldap/Makefile
new file mode 100644
index 0000000000000000000000000000000000000000..7068b688811b418ac08a2a2d09294aaf2e37b867
--- /dev/null
+++ b/contrib/openldap/Makefile
@@ -0,0 +1,36 @@
+image=quay.io/coreos/openldap:2.4.44
+image_file=assets/openldap_2_4_44.docker
+
+aci_file=quay.io-coreos-openldap-2.4.44.aci
+
+$(shell mkdir -p assets)
+
+user=$(shell id -u -n)
+group=$(shell id -g -n)
+
+.PHONY: build
+build: $(image_file)
+
+$(image_file): assets/openldap-2.4.44.tgz Dockerfile scripts/entrypoint.sh
+	sudo docker build -t  $(image) .
+	sudo docker save -o $(image_file) $(image)
+	# Change ownership of the container.
+	sudo chown $(user):$(group) $(image_file)
+
+assets/openldap-2.4.44.tgz: scripts/download.sh
+	./scripts/download.sh
+
+$(aci_file): $(image_file)
+	docker2aci $(image_file)
+	mv $(aci_file) assets/$(aci_file)
+
+.PHONY: import-aci
+import-aci: $(aci_file)
+	sudo rkt fetch --insecure-options=image ./assets/quay.io-coreos-openldap-2.4.44.aci
+
+clean:
+	rm -rf assets/*
+
+.PHONY: push
+push:
+	sudo docker push quay.io/coreos/openldap:2.4.44
diff --git a/contrib/openldap/README.md b/contrib/openldap/README.md
new file mode 100644
index 0000000000000000000000000000000000000000..9ea692556dd54d8821a5f47fa7a00365b506a6d3
--- /dev/null
+++ b/contrib/openldap/README.md
@@ -0,0 +1,63 @@
+# An OpenLDAP container
+
+## Running with rkt
+
+First be sure to clean any existing containers and turn SELinux to Permissive (this is due to a known issue in rkt).
+
+    sudo setenforce Permissive
+    sudo rkt gc --grace-period=0s
+
+Run the OpenLDAP container at a predefined IP, this will set some initial values.
+
+    sudo rkt run --net=default:IP=172.16.28.25 quay.io/coreos/openldap:2.4.44
+
+OpenLDAP will then be available on port 389. To work with the container's examples install the openldap client programs on your host.
+
+    sudo dnf install -y openldap-clients
+
+`ldapadd` can be used to add new entries to the directory.
+
+    ldapadd \
+      -h 172.16.28.25 \
+      -D "cn=Manager,dc=example,dc=com" \
+      -w "secret" \
+      -f examples/example.ldif
+
+The created entries can be searched with the `ldapsearch` command.
+
+    ldapsearch \
+      -h 172.16.28.25 \
+      -D "cn=Manager,dc=example,dc=com" \
+      -w "secret" \
+      -b "dc=example,dc=com" \
+      '(objectClass=*)'
+
+## Customizing the created directory
+
+The container uses environment variables defined in the `scripts/entrypoint.sh` bash file for initial configuration. Overriding these values will cause the 
+
+    sudo rkt run \
+      --set-env=LDAP_DOMAIN="dc=dex,dc=coreos,dc=com" \
+      --set-env=LDAP_ROOT_CN="cn=admin" \
+      --set-env=LDAP_ROOT_PW="password" \
+      --net=default:IP=172.16.28.25 \
+      quay.io/coreos/openldap:2.4.44
+
+## Development
+
+The `Makefile` can be used to build the container using Docker. This will download OpenLDAP, compile it in a container, then add the entrypoint script.
+
+    make
+
+General development looks like.
+
+    vim scripts/entrypoint.sh
+    make
+    sudo docker run -it --rm --entrypoint=/bin/sh quay.io/coreos/openldap:2.4.44
+    # poke around or run /entrypoint.sh manually
+
+## TODO
+
+* TLS support.
+* Seed with initial data through mounted volume.
+* Better `objectClass` schemas that match other LDAP deployments.
diff --git a/contrib/openldap/examples/example.ldif b/contrib/openldap/examples/example.ldif
new file mode 100644
index 0000000000000000000000000000000000000000..29bd0d52f54b70246251bf766db816b86f2d7538
--- /dev/null
+++ b/contrib/openldap/examples/example.ldif
@@ -0,0 +1,9 @@
+dn: dc=example,dc=com
+objectclass: dcObject
+objectclass: organization
+o: Example Company
+dc: example
+
+dn: cn=Manager,dc=example,dc=com
+objectclass: organizationalRole
+cn: Manager
diff --git a/contrib/openldap/scripts/download.sh b/contrib/openldap/scripts/download.sh
new file mode 100755
index 0000000000000000000000000000000000000000..bc582edc8a01803d2a9baa4e00939f70c27b48eb
--- /dev/null
+++ b/contrib/openldap/scripts/download.sh
@@ -0,0 +1,7 @@
+#!/bin/bash -e
+# USAGE: scripts/download.sh
+
+wget -O /tmp/openldap-2.4.44.tgz ftp://ftp.openldap.org/pub/OpenLDAP/openldap-release/openldap-2.4.44.tgz
+sha512sum -c scripts/openldap-2.4.44.tgz.sha512
+mv /tmp/openldap-2.4.44.tgz assets/openldap-2.4.44.tgz
+tar -zxvf assets/openldap-2.4.44.tgz -C assets
diff --git a/contrib/openldap/scripts/entrypoint.sh b/contrib/openldap/scripts/entrypoint.sh
new file mode 100755
index 0000000000000000000000000000000000000000..fd91f6cd7db03cc45de5897a29cbc587ac1bd8e7
--- /dev/null
+++ b/contrib/openldap/scripts/entrypoint.sh
@@ -0,0 +1,53 @@
+#!/bin/sh -e
+
+# Provide sane defaults for these values.
+DOMAIN=${LDAP_DOMAIN:-"dc=example,dc=com"}
+ROOT_CN=${LDAP_ROOT_CN:-"cn=Manager"}
+ROOT_PW=${LDAP_ROOT_PW:-"secret"}
+LOG_LEVEL=${LDAP_LOG_LEVEL:-"any"}
+
+ROOT_DN="$ROOT_CN,$DOMAIN"
+
+cat <<EOF > /usr/local/etc/openldap/slapd.ldif
+# Global config
+dn: cn=config
+objectClass: olcGlobal
+cn: config
+
+# Schema definition
+dn: cn=schema,cn=config
+objectClass: olcSchemaConfig
+cn: schema
+
+include: file:///usr/local/etc/openldap/schema/core.ldif
+
+# Default frontend configuration.
+dn: olcDatabase=frontend,cn=config
+objectClass: olcDatabaseConfig
+objectClass: olcFrontendConfig
+olcDatabase: frontend
+
+# Template in RootDN values and RootPW.
+dn: olcDatabase=mdb,cn=config
+objectClass: olcDatabaseConfig
+objectClass: olcMdbConfig
+olcDatabase: mdb
+OlcDbMaxSize: 1073741824
+olcSuffix: $DOMAIN
+olcRootDN: $ROOT_DN
+olcRootPW: $ROOT_PW
+olcDbDirectory: /usr/local/var/openldap-data
+olcDbIndex: objectClass eq
+EOF
+
+mkdir -p /usr/local/etc/cn=config
+
+/usr/local/sbin/slapadd \
+    -n 0 \
+    -F /usr/local/etc/cn=config \
+    -l /usr/local/etc/openldap/slapd.ldif
+
+# Begin slapd with `-d` so it attaches rather than running it as a daemon process.
+/usr/local/libexec/slapd \
+    -d $LOG_LEVEL \
+    -F /usr/local/etc/cn=config
diff --git a/contrib/openldap/scripts/openldap-2.4.44.tgz.sha512 b/contrib/openldap/scripts/openldap-2.4.44.tgz.sha512
new file mode 100644
index 0000000000000000000000000000000000000000..85412e29ca423d28f389dbac82a6d1fa04ee7237
--- /dev/null
+++ b/contrib/openldap/scripts/openldap-2.4.44.tgz.sha512
@@ -0,0 +1,2 @@
+# Computed
+132eb81798f59a364c9246d08697e1c7ebb6c2c3b983f786b14ec0233df09696cbad33a1f35f3076348b5efb77665a076ab854a24122c31e8b58310b7c7fd136  /tmp/openldap-2.4.44.tgz