diff --git a/README.md b/README.md
index b90b798..4fd7510 100644
--- a/README.md
+++ b/README.md
@@ -32,7 +32,10 @@ This role sets up 389ds in multi-master mode.
 | `auth_ldap_permissions` | (see defaults/main.yml) | ACIs to set on the directory |
 | `auth_kerberos_admin_privs` | `[]` | Kerberos principals to grant administrative permissions to (see defaults/main.yml for format) |
 | `auth_ldap_store_pam` | `True` | Whether to actually store the generated 389ds PAM config. Useful if you want to customize it using another role |
-|`auth_kerberos_curves` | `edwards25519` | Curves to use for kerberos SPAKE |
+| `auth_kerberos_curves` | `edwards25519` | Curves to use for kerberos SPAKE |
+| `auth_ldap_use_external_domain` | `False` | Use separate domain for mutual replication connections |
+| `auth_ldap_external_domain` | `None` | The domain to use if the setting before is `True` |
+
 
 Users can be created by putting them into `auth_ldap_users` as a dict with the following format:
 ```
diff --git a/defaults/main.yml b/defaults/main.yml
index a51a055..3cba65a 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -6,6 +6,11 @@ auth_ldap_domain_suffix: None
 # If you have subdomains with hosts, you might want to add them here
 auth_ldap_domain_subdomains: []
 
+# If your LDAP servers are not mutually reachable via their FQDN, set this for
+# replication
+auth_ldap_use_external_domain: False
+auth_ldap_external_domain: None
+
 # LDAP admin credentials (you need to change these)
 auth_ldap_admin_pwd: None
 auth_ldap_sync_pwd: None
diff --git a/templates/haproxy-dropin.conf.j2 b/templates/haproxy-dropin.conf.j2
index 7f3f1af..d2eec37 100644
--- a/templates/haproxy-dropin.conf.j2
+++ b/templates/haproxy-dropin.conf.j2
@@ -9,7 +9,11 @@ frontend {{ item }}-ldap-front
 backend {{ item }}-ldap-back
         mode tcp
         option ldap-check
+{% if auth_ldap_use_external_domain %}
+        server remote {{ hostvars[item]['auth_ldap_external_domain'] }}:60389 ssl crt /etc/dirsrv/client.pem ca-file /etc/dirsrv/ca.pem verify required check check-ssl
+{% else %}
         server remote {{ item }}:60389 ssl crt /etc/dirsrv/client.pem ca-file /etc/dirsrv/ca.pem verify required check check-ssl
+{% endif %}
 
 {% endif %}
 {% endfor %}