diff --git a/pillar/gnuviechadmin/gvaldap.sls b/pillar/gnuviechadmin/gvaldap.sls
index 45665fd..4673a67 100644
--- a/pillar/gnuviechadmin/gvaldap.sls
+++ b/pillar/gnuviechadmin/gvaldap.sls
@@ -1,4 +1,5 @@
 include:
+  - gnuviechadmin
   - gnuviechadmin.queues.common
   - gnuviechadmin.queues.gvaldap
 
@@ -6,3 +7,5 @@ gnuviechadmin:
   component:
     name: gvaldap
     amqp_user: ldap
+  ldap_admin_user: ldapadmin
+  allowed_hosts: 127.0.0.1,gvaldap.local,localhost
diff --git a/pillar/gnuviechadmin/init.sls b/pillar/gnuviechadmin/init.sls
index d98250c..875b13f 100644
--- a/pillar/gnuviechadmin/init.sls
+++ b/pillar/gnuviechadmin/init.sls
@@ -11,6 +11,8 @@ gnuviechadmin:
   osuserhomedirbase: /home
   osuserdefaultshell: /usr/bin/rssh
   uploadserver: gvafile.local
-  webmail_url: https://webmail.example.com/
-  phpmyadmin_url: https://phpmyadmin.example.com/
-  phppgadmin_url: https://phppgadmin.example.com/
+  ldap_domain: gva.local
+  ldap_url: ldap://gvaldap.local
+  ldap_base_dn: dc=gva,dc=local
+  ldap_groups_ou: groups
+  ldap_users_ou: users
diff --git a/pillar/gnuviechadmin/webinterface.sls b/pillar/gnuviechadmin/webinterface.sls
index 8eabd28..e562db9 100644
--- a/pillar/gnuviechadmin/webinterface.sls
+++ b/pillar/gnuviechadmin/webinterface.sls
@@ -1,4 +1,5 @@
 include:
+  - gnuviechadmin
   - gnuviechadmin.queues.common
   - gnuviechadmin.queues.gva
 
@@ -7,3 +8,6 @@ gnuviechadmin:
     name: gva
     amqp_user: gva
     python_module: gnuviechadmin
+  webmail_url: https://webmail.example.com/
+  phpmyadmin_url: https://phpmyadmin.example.com/
+  phppgadmin_url: https://phppgadmin.example.com/
diff --git a/roots/base/init.sls b/roots/base/init.sls
index 3b896aa..b1e98e8 100644
--- a/roots/base/init.sls
+++ b/roots/base/init.sls
@@ -4,6 +4,7 @@ base-packages:
       - screen
       - htop
       - git
+      - locales-all
 
 /home/vagrant/.screenrc:
   file.managed:
diff --git a/roots/gnuviechadmin/gvaldap.sls b/roots/gnuviechadmin/gvaldap.sls
index f600b9f..d38fc8f 100644
--- a/roots/gnuviechadmin/gvaldap.sls
+++ b/roots/gnuviechadmin/gvaldap.sls
@@ -9,3 +9,11 @@ gvaldap-packages:
       - libsasl2-dev
     - require_in:
       - pkg: gnuviechadmin-packages
+
+base-ldap-objects:
+  cmd.script:
+    - source: salt://gnuviechadmin/gvaldap/create_base_ldap_objects.sh
+    - template: jinja
+    - user: root
+    - group: root
+    - unless: ldapsearch -Y EXTERNAL -H ldapi:// -b "{{ salt['pillar.get']('gnuviechadmin:ldap_base_dn') }}" "cn={{ salt['pillar.get']('gnuviechadmin:ldap_admin_user') }}" | grep -q numEntries
diff --git a/roots/gnuviechadmin/gvaldap/create_base_ldap_objects.sh b/roots/gnuviechadmin/gvaldap/create_base_ldap_objects.sh
new file mode 100644
index 0000000..66edc19
--- /dev/null
+++ b/roots/gnuviechadmin/gvaldap/create_base_ldap_objects.sh
@@ -0,0 +1,91 @@
+#!/bin/sh
+
+set -e
+
+{% set base_dn = salt['pillar.get']('gnuviechadmin:ldap_base_dn') %}
+{% set ldap_admin_user = salt['pillar.get']('gnuviechadmin:ldap_admin_user') %}
+{% set ldap_groups_ou = salt['pillar.get']('gnuviechadmin:ldap_groups_ou') %}
+{% set ldap_users_ou = salt['pillar.get']('gnuviechadmin:ldap_users_ou') %}
+
+# setup password hashing for cleartext input
+ldapadd -v -H ldapi:// -Y EXTERNAL -f /etc/ldap/schema/ppolicy.ldif
+
+ldapmodify -v -H ldapi:// -Y EXTERNAL <<EOD
+dn: cn=module{0},cn=config
+changetype: modify
+add: olcModuleLoad
+olcModuleLoad: ppolicy
+
+dn: olcOverlay=ppolicy,olcDatabase={1}mdb,cn=config
+changetype: add
+objectClass: olcOverlayConfig
+objectClass: olcPPolicyConfig
+olcOverlay: ppolicy
+olcPPolicyHashClearText: TRUE
+EOD
+
+# define ACLs on LDAP tree
+ldapmodify -v -H ldapi:// -Y EXTERNAL <<EOD
+dn: olcDatabase={1}mdb,cn=config
+changetype: modify
+replace: olcAccess
+olcAccess: {0}to attrs=userPassword,shadowLastChange
+  by self write
+  by anonymous auth
+  by dn="cn={{ ldap_admin_user }},{{ base_dn }}" write
+  by * none
+olcAccess: {1}to dn.base=""
+  by * read
+olcAccess: {2}to dn.subtree="ou={{ ldap_users_ou }},{{ base_dn }}"
+  by dn="cn={{ ldap_admin_user }},{{ base_dn }}" write
+  by * read
+olcAccess: {3}to dn.subtree="ou={{ ldap_groups_ou }},{{ base_dn }}"
+  by dn="cn={{ ldap_admin_user }},{{ base_dn }}" write
+  by * read
+olcAccess: {4}to *
+  by self write
+  by * read
+EOD
+
+# add OUs, groups and ldapadmin user
+ldapmodify -v -H {{ salt['pillar.get']('gnuviechadmin:ldap_url') }} -x -D "cn=admin,{{ base_dn }}" -w '{{ salt["grains.get_or_set_hash"]("slapd.password") }}' <<EOD
+dn: ou={{ ldap_users_ou }},{{ base_dn }}
+changetype: add
+objectClass: top
+objectClass: organizationalUnit
+ou: {{ ldap_users_ou }}
+
+dn: ou={{ ldap_groups_ou }},{{ base_dn }}
+changetype: add
+objectClass: top
+objectClass: organizationalUnit
+ou: {{ ldap_groups_ou }}
+
+dn: cn=sftponly,ou={{ ldap_groups_ou }},{{ base_dn }}
+changetype: add
+objectClass: posixGroup
+cn: sftponly
+gidNumber: 2000
+description: SFTP users
+
+dn: cn=wwwusers,ou={{ ldap_groups_ou }},{{ base_dn }}
+changetype: add
+objectClass: posixGroup
+cn: wwwusers
+gidNumber: 2001
+
+dn: cn=webserver,ou={{ ldap_groups_ou }},{{ base_dn }}
+changetype: add
+objectClass: posixGroup
+cn: webserver
+gidNumber: 2002
+memberUid: www-data
+
+dn: cn={{ ldap_admin_user }},{{ base_dn }}
+changetype: add
+objectClass: simpleSecurityObject
+objectClass: organizationalRole
+cn: {{ ldap_admin_user }}
+description: LDAP manager for celery worker
+userPassword:: {{ salt['grains.get_or_set_hash']('gnuviechadmin.ldap_admin_password', 16).encode("base64") }}
+EOD
diff --git a/roots/gnuviechadmin/gvaldap/settings.sh b/roots/gnuviechadmin/gvaldap/settings.sh
index e99308c..4f358a0 100644
--- a/roots/gnuviechadmin/gvaldap/settings.sh
+++ b/roots/gnuviechadmin/gvaldap/settings.sh
@@ -1,14 +1,14 @@
 #!/bin/sh
 
-export DJANGO_SETTINGS_MODULE="gvaldap.settings.{{ salt['pillar.get']('gnuviechadmin:deploymenttype', 'production') }}"
-export GVALDAP_ADMIN_NAME="Jan Dittberner"
-export GVALDAP_ADMIN_EMAIL="{{ salt['pillar.get']('gnuviechadmin-gvaldap:admin_email') }}"
-export GVALDAP_LDAP_URL="{{ salt['pillar.get']('gnuviechadmin-gvaldap:ldap_url') }}"
-export GVALDAP_LDAP_USER="{{ salt['pillar.get']('gnuviechadmin-gvaldap:ldap_user') }}"
-export GVALDAP_LDAP_PASSWORD="{{ salt['pillar.get']('gnuviechadmin-gvaldap:ldap_password' ) }}"
-export GVALDAP_BASEDN_GROUP="{{ salt['pillar.get']('gnuviechadmin-gvaldap:basedn_group') }}"
-export GVALDAP_BASEDN_USER="{{ salt['pillar.get']('gnuviechadmin-gvaldap:basedn_user') }}"
-export GVALDAP_SECRETKEY="{{ salt['grains.get_or_set_hash']('gnuviechadmin-gvaldap:SECRET_KEY', 50) }}"
-export GVALDAP_BROKER_URL="{{ broker_url }}"
-export GVALDAP_ALLOWED_HOSTS="{{ salt['pillar.get']('gnuviechadmin-gvaldap:allowed_hosts') }}"
-export GVALDAP_SERVER_EMAIL="{{ salt['pillar.get']('gnuviechadmin-gvaldap:server_email') }}"
+export DJANGO_SETTINGS_MODULE='gvaldap.settings.{{ salt['pillar.get']('gnuviechadmin:deploymenttype', 'production') }}'
+export GVALDAP_ADMIN_NAME='Jan Dittberner'
+export GVALDAP_ADMIN_EMAIL='{{ salt['pillar.get']('gnuviechadmin:adminemail') }}'
+export GVALDAP_LDAP_URL='{{ salt['pillar.get']('gnuviechadmin:ldap_url') }}'
+export GVALDAP_LDAP_USER='{{ 'cn=%s,%s' % (salt['pillar.get']('gnuviechadmin:ldap_admin_user'), salt['pillar.get']('gnuviechadmin:ldap_base_dn')) }}'
+export GVALDAP_LDAP_PASSWORD='{{ salt['grains.get_or_set_hash']('gnuviechadmin.ldap_admin_password', 16) }}'
+export GVALDAP_BASEDN_GROUP='{{ 'ou=%s,%s' % (salt['pillar.get']('gnuviechadmin:ldap_groups_ou'), salt['pillar.get']('gnuviechadmin:ldap_base_dn')) }}'
+export GVALDAP_BASEDN_USER='{{ 'ou=%s,%s' % (salt['pillar.get']('gnuviechadmin:ldap_users_ou'), salt['pillar.get']('gnuviechadmin:ldap_base_dn')) }}'
+export GVALDAP_SECRETKEY='{{ salt['grains.get_or_set_hash']('gnuviechadmin.secret_key', 50) }}'
+export GVALDAP_BROKER_URL='{{ broker_url }}'
+export GVALDAP_ALLOWED_HOSTS='{{ salt['pillar.get']('gnuviechadmin:allowed_hosts') }}'
+export GVALDAP_SERVER_EMAIL='{{ salt['pillar.get']('gnuviechadmin:mailfrom') }}'
diff --git a/roots/ldapserver/init.sls b/roots/ldapserver/init.sls
new file mode 100644
index 0000000..2a59f3e
--- /dev/null
+++ b/roots/ldapserver/init.sls
@@ -0,0 +1,18 @@
+ldapserver-packages:
+  debconf.set:
+    - name: slapd
+    - data:
+        'slapd/domain': {'type': 'string', 'value': '{{ salt["pillar.get"]("gnuviechadmin:ldap_domain") }}' }
+        'slapd/password1': {'type': 'string', 'value': '{{ salt["grains.get_or_set_hash"]("slapd.password") }}'}
+        'slapd/password2': {'type': 'string', 'value': '{{ salt["grains.get_or_set_hash"]("slapd.password") }}'}
+  pkg.installed:
+    - pkgs:
+      - ldap-utils
+      - ldapscripts
+      - ldapvi
+      - slapd
+  service.running:
+    - name: slapd
+    - require:
+      - pkg: ldapserver-packages
+      - debconf: slapd