From 9b10d099b61554625b0f293346a0aa7cd0281ab2 Mon Sep 17 00:00:00 2001
From: Christoph Haas <christoph.h@sprinternet.at>
Date: Wed, 24 Feb 2021 21:24:45 +0100
Subject: [PATCH] WIP: new user management and authentication system, use go
 1.16 embed

---
 Dockerfile                                    |   4 +-
 Makefile                                      |   2 -
 README-RASPBERRYPI.md                         |   2 +-
 README.md                                     |  23 +-
 assets/css/custom.css                         |  10 +
 assets/img/favicon-large.png                  | Bin 0 -> 18346 bytes
 assets/img/favicon.ico                        | Bin 0 -> 101544 bytes
 assets/img/favicon.png                        | Bin 0 -> 6230 bytes
 assets/tpl/admin_create_clients.html          |   2 +-
 assets/tpl/admin_edit_user.html               |  87 +++++
 assets/tpl/admin_index.html                   |  31 +-
 assets/tpl/admin_user_index.html              |  67 ++++
 assets/tpl/index.html                         |  61 +++-
 assets/tpl/prt_nav.html                       |  17 +-
 assets/tpl/user_index.html                    |  23 +-
 efs.go                                        |  12 +
 go.mod                                        |   7 +-
 internal/authentication/provider.go           |  31 ++
 .../authentication/providers/ldap/provider.go | 203 +++++++++++
 .../providers/password/provider.go            | 186 ++++++++++
 internal/authentication/user.go               |  11 +
 internal/common/configuration.go              |  51 ++-
 internal/ldap/authentication.go               |  94 -----
 internal/ldap/config.go                       |  27 ++
 internal/ldap/ldap.go                         | 115 +++++-
 internal/ldap/usercache.go                    | 338 ------------------
 internal/server/auth.go                       |  83 +++++
 internal/server/core.go                       | 247 +++++++------
 internal/server/handlers_auth.go              | 128 ++++---
 internal/server/handlers_common.go            | 106 +++---
 internal/server/handlers_interface.go         |  40 +--
 internal/server/handlers_peer.go              |  90 ++---
 internal/server/handlers_user.go              | 269 ++++++++++++++
 internal/server/helper.go                     |  93 ++---
 internal/server/ldapsync.go                   | 150 +++++++-
 .../server/{usermanager.go => peermanager.go} | 158 ++++----
 internal/server/routes.go                     |  30 +-
 internal/users/config.go                      |  17 +
 internal/users/manager.go                     | 263 ++++++++++++++
 internal/users/user.go                        |  36 ++
 40 files changed, 2161 insertions(+), 953 deletions(-)
 create mode 100644 assets/img/favicon-large.png
 create mode 100644 assets/img/favicon.ico
 create mode 100644 assets/img/favicon.png
 create mode 100644 assets/tpl/admin_edit_user.html
 create mode 100644 assets/tpl/admin_user_index.html
 create mode 100644 efs.go
 create mode 100644 internal/authentication/provider.go
 create mode 100644 internal/authentication/providers/ldap/provider.go
 create mode 100644 internal/authentication/providers/password/provider.go
 create mode 100644 internal/authentication/user.go
 delete mode 100644 internal/ldap/authentication.go
 create mode 100644 internal/ldap/config.go
 delete mode 100644 internal/ldap/usercache.go
 create mode 100644 internal/server/auth.go
 create mode 100644 internal/server/handlers_user.go
 rename internal/server/{usermanager.go => peermanager.go} (79%)
 create mode 100644 internal/users/config.go
 create mode 100644 internal/users/manager.go
 create mode 100644 internal/users/user.go

diff --git a/Dockerfile b/Dockerfile
index 99154a2..05442d4 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -4,7 +4,7 @@
 ######-
 # Start from the latest golang base image as builder image (only used to compile the code)
 ######-
-FROM golang:1.15 as builder
+FROM golang:1.16 as builder
 
 RUN mkdir /build
 
@@ -29,7 +29,7 @@ FROM debian:buster
 ENV TZ=Europe/Vienna
 
 # GOSS for container health checks
-ENV GOSS_VERSION v0.3.14
+ENV GOSS_VERSION v0.3.16
 RUN apt-get update && apt-get upgrade -y && \
         apt-get install --no-install-recommends -y moreutils ca-certificates curl && \
         rm -rf /var/cache/apt /var/lib/apt/lists/*; \
diff --git a/Makefile b/Makefile
index 474d287..5265ea1 100644
--- a/Makefile
+++ b/Makefile
@@ -11,12 +11,10 @@ IMAGE=h44z/wg-portal
 all: dep build
 
 build: dep $(addsuffix -amd64,$(addprefix $(BUILDDIR)/,$(BINARIES)))
-	cp -r assets $(BUILDDIR)
 	cp scripts/wg-portal.service $(BUILDDIR)
 	cp scripts/wg-portal.env $(BUILDDIR)
 
 build-cross-plat: dep build $(addsuffix -arm,$(addprefix $(BUILDDIR)/,$(BINARIES))) $(addsuffix -arm64,$(addprefix $(BUILDDIR)/,$(BINARIES)))
-	cp -r assets $(BUILDDIR)
 	cp scripts/wg-portal.service $(BUILDDIR)
 	cp scripts/wg-portal.env $(BUILDDIR)
 
diff --git a/README-RASPBERRYPI.md b/README-RASPBERRYPI.md
index fdaadf4..4278163 100644
--- a/README-RASPBERRYPI.md
+++ b/README-RASPBERRYPI.md
@@ -10,7 +10,7 @@ use the following instructions:
 ### Building
 This section describes how to build the WireGuard Portal code.
 To compile the final binary, use the Makefile provided in the repository.
-As WireGuard Portal is written in Go, **golang >= 1.14** must be installed prior to building.
+As WireGuard Portal is written in Go, **golang >= 1.16** must be installed prior to building.
 
 ```
 make build-cross-plat
diff --git a/README.md b/README.md
index e4fd3f0..07fe303 100644
--- a/README.md
+++ b/README.md
@@ -7,14 +7,13 @@
 ![GitHub code size in bytes](https://img.shields.io/github/languages/code-size/h44z/wg-portal)
 [![Docker Pulls](https://img.shields.io/docker/pulls/h44z/wg-portal.svg)](https://hub.docker.com/r/h44z/wg-portal/)
 
-A simple web base configuration portal for [WireGuard](https://wireguard.com). 
+A simple, web based configuration portal for [WireGuard](https://wireguard.com). 
 The portal uses the WireGuard [wgctrl](https://github.com/WireGuard/wgctrl-go) library to manage the VPN 
 interface. This allows for seamless activation or deactivation of new users, without disturbing existing VPN 
 connections.
 
-The configuration portal is designed to use LDAP (Active Directory) as a user source for authentication and profile data.
-It still can be used without LDAP by using a predefined administrator account. Some features like mass creation of accounts 
-will only be available in combination with LDAP.
+The configuration portal currently supports using SQLite, MySQL as a user source for authentication and profile data.
+It also supports LDAP (Active Directory or OpenLDAP) as authentication provider.
 
 ## Features
  * Self-hosted and web based
@@ -24,18 +23,19 @@ will only be available in combination with LDAP.
  * Enable / Disable clients seamlessly
  * Generation of `wgX.conf` after any modification
  * IPv6 ready
- * User authentication (LDAP and/or predefined admin account)
+ * User authentication (SQLite/MySQL and LDAP)
  * Dockerized
  * Responsive template
+ * One single binary
  
 ![Screenshot](screenshot.png)
 
 ## Setup
 
 ### Docker
-The easiest way to run WireGuard Portal is using the provided docker image.
+The easiest way to run WireGuard Portal is to use the Docker image provided.
 
-Docker compose snippet with sample values:
+Docker Compose snippet with some sample configuration values:
 ```
 version: '3.6'
 services:
@@ -56,19 +56,20 @@ services:
       - WEBSITE_TITLE=WireGuard VPN
       - COMPANY_NAME=Your Company Name
       - MAIL_FROM=WireGuard VPN <noreply+wireguard@company.com>
-      - ADMIN_USER=admin  # optional admin user
+      - ADMIN_USER=admin@domain.com
       - ADMIN_PASS=supersecret
-      - ADMIN_LDAP_GROUP=CN=WireGuardAdmins,OU=Users,DC=COMPANY,DC=LOCAL
       - EMAIL_HOST=10.10.10.10
       - EMAIL_PORT=25
+      - LDAP_ENABLED=true
       - LDAP_URL=ldap://srv-ad01.company.local:389
       - LDAP_BASEDN=DC=COMPANY,DC=LOCAL
       - LDAP_USER=ldap_wireguard@company.local
       - LDAP_PASSWORD=supersecretldappassword
+      - LDAP_ADMIN_GROUP=CN=WireGuardAdmins,OU=Users,DC=COMPANY,DC=LOCAL
 ```
 Please note that mapping ```/etc/wireguard``` to ```/etc/wireguard``` inside the docker, will erase your host's current configuration.
 If needed, please make sure to backup your files from ```/etc/wireguard```.
-For a full list of configuration options take a look at the source file [internal/common/configuration.go](internal/common/configuration.go).
+For a full list of configuration options take a look at the source file [internal/common/configuration.go](internal/common/configuration.go#L57).
 
 ### Standalone
 For a standalone application, use the Makefile provided in the repository to build the application.
@@ -80,7 +81,7 @@ make
 make build-cross-plat
 ```
 
-The compiled binary and all necessary assets will be located in the dist folder.
+The compiled binary will be located in the dist folder.
 A detailed description for using this software with a raspberry pi can be found in the [README-RASPBERRYPI.md](README-RASPBERRYPI.md).
 
 ## What is out of scope
diff --git a/assets/css/custom.css b/assets/css/custom.css
index 6bc0d62..f450dbb 100644
--- a/assets/css/custom.css
+++ b/assets/css/custom.css
@@ -40,6 +40,16 @@ pre{background:#f7f7f9}iframe{overflow:hidden;border:none}@media (min-width: 768
 /* --------------------------------------------------
  End collapsable table*/
 
+.jumbotron-home {
+    padding: 1rem 1rem;
+}
+
+@media (min-width: 576px) {
+    .jumbotron-home {
+        padding: 2rem 2rem;
+    }
+}
+
 @media (min-width: 1440px) {
     .container, .container-lg, .container-md, .container-sm, .container-xl {
         max-width: 1400px;
diff --git a/assets/img/favicon-large.png b/assets/img/favicon-large.png
new file mode 100644
index 0000000000000000000000000000000000000000..ab037748917fc73aaf67a33afd15ec2e64a15d68
GIT binary patch
literal 18346
zcmeIZcT`l}vM;*2X`snDrzYo|k<cWO+yn`N5}TZ}h|pvK$-w|fkf<a{ilhcq5J6B8
z5y>JMX(UR#3%`B#{?5DSo%_xh@BX)OfOE}R^{bjSE6iG>I|*f^Lq^O@3;+O`?iDRl
z0Dyu+C;%q_|Jw~4I|2YiY`D2qkf}o`!Y{zr#oY^y2)gNqMxevoT>v0#vNqp6#7RCY
z{@jVK6J`+YpvX9~%C`IKxV<<BUHR#{Si5ND72U;K0M`OJWVG=7_tyGZ%DIQ}2lUh0
zT~p=rACGRaD!ZTU%!bXzj%*ztL~XA>?>_E4-cB5-r%qqpNwiQ+pFcjBWjG2ajdk76
zCu!N+OZ<JTwtEtMy#Fb_%O^*Mi_9VFdR5eQf!8A(y<hO(xL)hpwTQYDe^WL6_*UuW
z&d92bVOP}kjnjjjk+#P0Z!e6Kx63k=XTLAkE3eu4xp(l#Mkz){s+bzRImqa$d=+!z
zQF!8e`9~yGF79d7N!Y#_%Jlci%y!DGxXbVD!*{cU$9oIy&tG-71zuD8dD1>R!oEN9
z>GxUame0?bod?qc@w}pT*+-8CZ@nSm*MBtgjo2<X>dnqkmy+FZW@k!<Z}-WfXFNNX
zLmOuz+vOMY9sP9lnnT;K2A%GvAXh_0KTmwuo1x0DsrPd-RM{N6GsV@BH2a3biD;|q
zblNBWO={>|uB6|yVspQv{qya;N`{w~f*divYU9cN+Ps{7sKwnvOR5aN?wx@dXjIhc
zNzuZ?JH?%79|OO`-)*m&ak(~wk9VPkVI|v#)h(!lFZfnmKfOu$c(~^Duh8q^WZy7D
z*C+0b%xM_5ND`?_q~x2tDKO<!5M7(;s7yGRblcwXlvt-T(ajy*mAP}3U}B)?A&a7n
zh_zgk<L8ILEWEk4H94j!Sl==8z?N$swYB?7*F4&+g=<@vuK7Ohe+1~Pmw%ZF-*WQ%
z)RRlN#ol3mm&x_v%}J4__j1RqDZAD;zY0CATe7fo>MxX2c=oQYeY2~dDA8Q$_k>{O
zqmUz}d*<z{OP<fC!oO{Xp4_?SSJZGezh18+8lfZFb!9bvPiHL5vv&3#Jch<>=#JG;
z^c_oWOk7&>17FVN6<Vd&LkCx`S~=%b%xx6kq3VgyXl99g_0ul%`1+LX`*Q)G?Mneh
zCCBG?3d~l{cmksCeiJWkeJ%Hn|A4DZYOM4~>-Todr^{ZNW%~>q{Q={l-z&ILg1J9{
ztZ@(TiJ!d9vPr>?GqAPAhwo)CJ(lWI={NdbAj2>HbDC@km6hjuIFfInTN_t?$-Dh5
zuj}oIp_X2|ocLG2o*%Te&fnZOdBXxf=k$vfL_Ek-t1fIaDqvZ3=KQD(s9!gU;ti|W
z*uA}FG%>0CG){y1r?TxJcXPO-^Ud$qwM!H~{kn^l)%daD+^LSZ)%*MhK`+5DA+>uw
z%A$JOMrHb|YURQAgZ5jFhT|?Va(!N(7ba);p1!HiFQr*uGqDXE9tl}fF8@8|8xUGC
zF&{g*v~gf$CzE6&r`SvFt|4oOtx13I;s<J<Oy)Abo&l{DU#D+S22J2<3S({LzF78o
z;7dcvxMa8$b9t-eJ>KoNBK$ctzQ+3JW)Tlgeu?dzwflUeJ8`(rFCfvvJDAT=L%4?i
zIgtM)W{8Vu!;B!#ijo>Dl`j86)q*{gJ<C4*woIh~5lTA=!af)J#tW|TnPdKgierIi
z89F!VOYRFT1E1?p)G|49pZpM7v@ri%G%4yae#_-e+hYPxPc1!fbe5x6>=of>+)v;8
zwcGl%S6xcw40R!;E$g(qA)9>ZNY3IsG=AYMJNYPbLm;-p?8Zl;ul2Fveh`7h`ctSY
zhC6qhXyjI3?T@3t5hdK%Okli6Z1Gfs-X)?k;f^4ahaWh!V2DXE2>*4DVxc5T-x&iw
z-P>{3Ax0(a3urcK*{rRU_?@}=#o0WI&{*xRj+53KA7nlRW~%#D)U{NkKDQ8ApUJsV
zn7hWIc=wWv%6u*NhdNqswUTeGkOZ2@M(9`5Si=61tkz-YBo|2F>=UBIF2QAunXgIo
zKP!4mLrHV1w(tXD^x5H0LaH~P%9Jj=AQQi?!`P0TXj_L_-?|Y#6{rc@e6$wy*z@sz
zd@{Gts!YYudij*Rr^hRy=Y`a)c}`{~tah$yue=4)s1I%{2xUmIBxGEfD?>VDo!@#$
z_VmW~P;^W!fmI?|6<^-C-h|@MfuKq9rnGtbwxL&$b063A0LHzkxn6)-cvS7(jmn{`
z<=5y?)EqP0B!?-1t@Oz*h9BO`X-sa;O!lN0oxq_C%yd0reX6%BdzqI$QJe06=v(BA
zG(xgI)foHf7ys~6*d6_XyVl00KKycTR7dL#&nl7!DAvPwJX(f6**{YfV#3RcvH4c3
z<?X2y*3BqXVzemhE_TJy;?8w!HuiDgTh9!tK_v+y--k{QGwvb?F~gUi=m!gJzd2`#
zm^fyB+9;(>T{{~hmcj~|zuKq3$cdw7=jDvZeDbC~UVofg6A1e<DmaWW@O^c(A7eE^
z7$H)=nXP1sAh%-pKv}6a_0`PwW@hD2HL+7WWuwFX=*`rx`Fhs|tbni_mDMZT=7U7V
zRzkrhsu7t!{MV~Ec%bVFJrXPeWR|1KDQjyVjegK0{nbg(m+w;wYI}ru>Xr)LRPIMG
zVW{0Glxzg}yP0&Owe{31u&-?Nyi9Z_3dtYuNW0JMrMxQLxc1|owGv79t!9?_#?65-
z?XY(bpH37L1hN$>_q7<{4S6&$MZ1qPVLb9Gn#X=>v}oSsdlWC1meMEYp7vvN)be?|
z!D@_Fim>#rDfUR0xB9rI-|?0F5BeA@_1T}*w32>LOi-XaQOXfz0+`h4rEME)^Imzv
zZlpMV{=RarK%XJf_vp9CjJaRJFxs?MxvY<l^_iUDYuspeYQQ_Xua~chreNMGUrGGv
zlH;#`mt6$81~5u^7fOBiGgEHJ^}ru8w&yFQTqBjG8KN}F1LRqmKJ>T!Qns+ZhCJib
zy1OpGB@muT%5sB1kvfU(ml%7r=Fi@NP)0qu`t|4thXd&3FF>{0@fF+mj?oXRJsf3X
z-NhZr=--o2Cy81;PMNG=;Y&XTtlnwm7@3a5VQEZw-Wq<*d{oTe3rMzwuDh*ON>V;6
zKPbvx8sV5e{|%Lp)=h@r7XDGlDHKGoo^j9e$Wr-Nws#d3^u~btlFCEMB6mjG#0T({
z-B(h8Bad8=YZJj0Kv6B4X3VlrD+c+ofL!IW3wM8J<p3G#H|c_|5g-E`Ve}mY8W|%b
zK}D6CfoES{Qq+?^Z;oW$)?iv*e|MRO2^QNm{Un)at+dzTD**}Qk?}9CRNtGwP2*Mx
zf%tP##emy842OAMQ_k0&Z5OGYTdwi&jDNt@ThTq+yaZG;7dOs7AfRVUh+v&^G%rnz
z=C0?PvCx57<$fi4Ra$&I+ARY*mCj07mg&#KSk_^DtDGi*#-=3@MQ=LOlumfNiojG_
zuUdzAvOh(}>vqfvK7V2xH{5<q-9LNwR3ub&?E%*qGpTZVa$+$5+czB_6AvQR2PH@r
zk{^2FyM{WPGjEo~82ArR#w4f<`t@Z;576T{fTStnp({0^xohfV(k~xb{pSC~^bE&L
zT{yrz=J@%S^!4BD4K7?fZGpuPg##E3p4#3js!aS`=G3<7o_JW!xw{g1_Ifs=BW!Zr
z;Wx5W>NAx_PUTwJ>fKVC0rFkKiFw=J6jSVm!AbA<#&{3+OtggGXltX={sQM^Ta)~J
zQdpfeYCPd7RdQ@9KPgUfL)a2CiWLd<AK(h7XB8TBerx}Yk;2}P_u2^I(j$INys}5s
zZS$Gsb`7eZXpk#K^C)0q@r`jE+g-&3dkI#GU%Kn^jB0+fqJr;+-WFFpV&=vk-;kNN
zYK4S8kbav?o!;KZeH2g>uz!bSF6|5ZiI^BYCzrBSs)4K01eaI|oUp_6j>(S)2dQlq
z{V#_xJ8m8UQdF-v>zzF8$r5r_S)DC2JP4AR8X^W_Jca%ABZP!GJiF7PP0bwmMU{TS
zueINR^StUmI&8bvd&A^+*|B@Mc$kLAVqLHa@s(?K8lh|5wFzRE&tnGh+Ia3_#mR77
zkOj7vTZ){&GN~bZG9M)8xdZ5r+DZK@nueZa$~b7&!g{{nFSqD7FEW>EU*CW2bljJj
zkYH;Jp*tdYMPRGd2H|dCR*Z8&;%;fm*2Jf6CMwX3@^C$px-V!dum~JxQ~gdB$2}N}
z!|<A%8P=gnOuG58Eo1ig@Yzf&67*D4<)ySe5CJ5ta+sHws*Udcd^LzQ{r3AOuY}Lt
zbA#5ldcL=LH2oGFCn$au1Vb1+&4^C>HosKc_x|}b$VkTaTK=zTi8jSoow#NXSN91|
z%?|=z3kCc&G;zVs++IXgc$sTH8I<l^8JwXWescHme5EguXB{@yxIH-V9+&`>5Y~8U
zYTh5Uc{2iwZ(cs6NUFb8kvMTvQ3(-ER#&ipZF*(UeOtDaA}-{!?Q5@RlifGy65<gg
zNyM2!D`IqcPQYLbGjVgZ4riD0TI5)#`J3NP{%_MBKKD|TIDTmDMrOd7T%(<6`;I*%
zzDKfj06tM%ym;HhrZil6byc`(Wvt#k%<zsSF+4R1oq`pU+EvIh(n^<0K@znc_hJUd
zL(ytS3i>L>9@96>oNg76MYfUU{D=`R8D1)_z_2|=5||)a`Ghz&HfZWS5ZQF*E|=%1
z2lXax#x%OnF#q|Sg!}A1yRXwvesiN^lrl-JHu*Oe9@s{Y<voVcmyGx%9V7=(Tsv~~
z|D2Na+ME7Lp*Sk=skln@6|^J0ui4i3hnyJPGa{lRX1sg6^(6JGZ<R{nK3_KMV@vqR
z?`^~47`VCi$+6@Cfy<X2o5L!{f@u~{lUxF$bf@AUAM>}RU5PgDqn!l=b%Mprg@%U>
zm^6FLcMOszDOr2Hj8o)=9-CSgv%$4W!-+b4%uc7|<j%6o?t9K@BZFV5XhlO{_FbZk
z4sYG>2(grsW2Yy8mJh^XY~im1-aa+cng}Wtl8s44?`FJd+umEzOX#4FxGE=+Mute$
z+k26<D;VMT?E4+g@yU!Tnx{*qeQVO6P?-W`+w|6i0r_!tNb~HmBs#Kez6h=2(`Y31
zuW<rMGH-RsJ(fm-LWc&j^(5Avk9I9i9(hNKZZ%`73$edqoUYnev6PrA<c(-8<6#Bc
z%wCa{N?_Sw$a-IO8D?T3hoPK@WSvnO#7SW$K~<6C$g~)aZTp-y&$S!bnV6vS-B={P
zO6}TOvDF9HF{97Dr7V4$t)5!ZbY#rxxeqN4pRBTM_)B4-o7}3d1U4l4#KI<OhJ(?p
zn{k3}I)opuiql=WJ12maX?{>mj`uU6Ce`h90RM|zg+2}^OiPlSQ)J>BvsE#C7unKx
z@Oms%@*AwdCvicM=_TjAt|`ZRQI}R!yw*D$H6C$29W}F=CK4&DYI1EsTlG%}Ms6Xb
z_-;7!C%il|WVWv=3Z$4Igz4&P@LSdzzy>v{AJtyZDbsSj{x-QwB9ehhC`UfdTIG1}
zJe^Qq??W9l#MAF8Lab5gdIh<*?bV}!OGqO5gv-G%Dj?rNJF2RG$kWBpo+oP`Pd`46
zga*ncP=4PLSj;#wR;Z~UddhpnUu$#0ygqe;`SY)sgMRhBu+_&`uGR0lM}L1D)@aR=
z`gDo|$6Z_gwn`gwCyU?J!gZcgOUb?=-&PUvJA8dqRKJ={F9TIe+EQrcBoY@=kHNpf
zRZU{2wtZFK5Wl>=ZT7q6Q_QLDNJ=(u7~{<=5`>DebcGJ;RCJHjAKgtdoN-f|lNqc}
zq8@YoJ_BQ&*4g;*!8u;mBl7KIl;ql1u7)ewfgAp!l;eC~Pp-+O?M3feX$1d5d%<0)
za!cpLxB{+lviwc~kQ#-lIs7IT(Xe1nR!xGSMo;|%e$(oH(+q0OJH5Qp5}BjNeva9x
zGq|7H5zhoBtL_WhRN5xVa=m}~&RoNyh(~>z(hZPlE;5s|#&_yN(82|Oc7Mi0kUz1K
zt!Lw#m*8=$i$4Rd=9}QZ`bnFq^D%n7exCYskS)(w$4wIwfzxqX0_7XSi<cDNa2Yau
z#!f&uU_*GM`l-xqIQb-;hNn`;wlDkiNVf!)Zl?4re06FBe;FP`9p|j5yK*WrN3Eyb
z=^Y3CM5CUC8E9Hz`Gu!~@qP1~+w<)L`{IhY1V3M;eYjR!i;IFJ>GkzVKeW3s-bvdp
z^3?KnyK;$}Ht|ClZ^phUKdZ(EsDk<GQfp!_@fp}FBvUt!_z7C%l;8F6I(VFiv-0Su
zFp&#l`Z1z(d6r8kCNu^eVqU+jcogd!EA!%#*kCoc+}oiDpIYw4GC$H=`Iwj0#dbE1
z5<!OFq&{4xVf(sWKbaMwnJTg<3VTz<DRE+t_aO6D1A+F?db22@7#DzQFMV0(eYb9h
zIr#9)uYJ!wNCW5ofKnBc<P#MxTM~5FK)PXg-^0nYOA3=Z7CD-zTTD77^jbMRI$HRI
zH5rF5jt``uTH06-g`(<OO5$u}v4s>pfjH)_PTyiLB~|2u2s1*?1@|7_y^su>n#jW-
zx<(j#u6oAYdmfC)o&L1f20ua?lb#4$33~aME{hdk9*g3c7atlNK)G07k~_Q+3u`en
ze1`O<%6^_vAu+(1+M@JvRLI0iJHO0rKoCvG=R!-87+X+Y@`O7kDC@PkTBCDyNr@`^
zH7o7AHWHsMCxo=Tz_P!$Fs1l5N@7ERSa5V0X#afhE(`TSM(dR&UHnRJ3<({l`mCVC
z=HcBra)O7{91y0QmaAb>(07`j;Wb~r9%)@;-*2(|d`p6wMu6N<PgoR)8OlR(kylol
z{3w+_N)hU7E;~WY_W!UfybJl9bbIq0`S~n`El)&Pma6^8sBB!%4FB4cX+d$$Ku*M1
z9Rd}K4^Qww7HE>}t<*3YhgHaR@H$f(6_e|x<Zh?YSv%2?X}M>ynTo6SQAZoN2J_bE
zhluAq$#{mfupyir{k0s+&?&s#Dy^^*5HG^=j*ZWe#=~@rx#erpc1OqfSeq5i)#A&<
z&H#5%hs5U_cE&UQZ3e5J{0ZvF=T*!A$xWBU4{jXBpM54jiI+jAF8}tGHR|cokhL$?
zb0?3+YbnDt@gBQobCu6gHh9chUKwmvf~2f>U!TqOH@L@-$Mta1jnN}9I%5)MglHxt
zm5_%^_=%wxb*hAX__FMt(na))4{v&kSq6|qV2RwClB#<KuHXehlEyy^#*GP3q4eJ0
zrsQFrR;P~I_o1u47w{_OHA9fG;8K})_{=kt-PEhO&kik@Fw>I=^oJhXW;Z?N&_gc(
zGYNI?DOAGyi5~(l6)>67Hlb{6;l2cyu6^7jmFidenFasVB@StOMBB($rKgY*&99Sq
zRcqFe+$_o=Hrv<_&or>#)o(?o9j+%tKk7x86IYNvpJg=9iuIbgDvLlOcZoXcP9!Ny
zof!0LT(4J`$T;0FR(9Y<-dK#vn6f+F8lU9g5ERc!i3k}ZT7vDqzr<5N&Kt;Rw#<b-
zjctA3f~V_Fa3%B|1yu0%nlj})5&kzo<%MB6lg3?QRQ*<QX7ifx^XJ-p_=iRwNa{&_
zRBmZYhO|<1v=CCD>ekDt{>H3NvDKDb5C+=xCzYe=C%u<mj=Eg_GG0fcdHuAaR8w2T
zo@ZVVwnKh9{?3Nd06N9S{+IfQd*up*Jj>b+YfKSs>l|ryZE8lDDZu?8E5n0SVfLo$
zLKIsPvRGG1i%X00(iw8urrG%8ui?<v!b~AjUo)%n&n-_b6ZHfW(mD;Ny<pVpTnp!R
zK)j&uVYn_RED)M~NUO6CpNpByr|IN-22VC&?YYk9Ytrf7fZtE5z<o*Ds)0M|`wz4J
zR3TjN!ZR`5)1=V5+7(>ir8#EW(%*eqTE&lkc<tllgrHe|g+h$QC`3R+Qi#!`xaiP1
zX*(DJ{BpRdJ}@}e)>!kfb-GP2`)EZw|Ma`lE+mC_o8ZH8%&+S<$uHN2>WVGNVwaNd
zNR-sK^hrn(!li=?2JVNKzQ1LTPj!kbRjd*)u<vEV>YKG6m0QhtATXEjM!B2WRL0xz
z<To>!?0<W-DEYWWTECU&s=Vc8w^ht*E2YU2wDB}ioF`{=FNCZ`*zC=Wfb1x*Cq?F$
zwL{}ZHxJSI{Ns$3e%99V;46(Bc!77d2>Gixs0A6vlQj_5>S~ms=1IEVKRN7QgjfVf
zYIre^I4~@kU3!u?v{bwQa^0|>QZC&#EprZP=vrm}<*?^>@s1O$;91j&%b<A&g_o&_
z;%<2!iPN}5oYs#PR%?qa`maY0Q6H(_J-$)$aF(6RM8`?fSv`M;t$QPbz!s7Kv!qU=
z4cs#lK-U!QD`!x@p;%a-ZYi0iDJQPy9D7Q>!s{onyP42h_F_RzUEcIuDKD!xg8y|;
zqmh!tjl%e5HimJIy&rESwHiaj*Y9W(24DFKdA=UT@Uo9vxsd#0NlNT0ZfY>LE%Al1
zE2oA!8Qo?+igw~#H8-xo*B+vAH*>ox+u*Ff>eHwYOt$V|nMe5-9bJ;gtCX%vrK4rZ
z>ynm^Z&9*Ep>gcnt|Dh<Mn<m0nFj-Vq0Lm4AF|ToF!EaW!=DPg?=)97-+xJsMd&U3
zUN36~-b-qIsTb1gtfQrJ^e8u$)oL}mn@z@}D(-~RpsKQT6>FBYi)topTWl@CISmE#
zIIisGpFtN7rh~I`ly>YA<6g$up?h@2sc8kBCLdyxcnx$!jSORIB~jX!7n>i}pmHVG
z^K*6H402uBUjz8I#)WLzc(ll^9?n(RhTQj$j<8S3Vz;?DD_J4J9q*DD7LaZ2si9RG
z|4x7Mj@v@knK;dQhXWPjlD&FXmDXN{HDBhw!;9%={`ThjjvL<!;&(lWG1XSY9{Io8
ze!T1(%91%>RS?*qQB{FN-myBNa{R?7ljTm)xjOpwHorDkb>)okeO=X<d)HA<<u!YY
zRZ`+eUsVpX@v!-udScrS)Y(F{q%$jC8Rf$ic;|f8%OcmTWQFjpY$n@D1$?Alj}6bi
ziPKdbT-PV?-{4<XK52d+CtNYT91<MTbCnI-eGio?>>k1XWsCn~+9chW?O_m}Zr~f4
zSyid<+BMtxhvxjq0M;44^+1xS(DPOD>Nw;FIkxUgZp5(bQSE-xw2c@ZNQx5IRsQeR
z0XuHj^u$WWlP7%vjnCC&wA(L?2qftWHyj$=82vi26K+Oqq%B|aE|-gbsy5|H))`J*
ze_u~O@!3C_n7!m^EJEo@*PX!B7vgO3$ZiQII0UZ#_GfJqH`0ET#oDN4mPjCmrl&?<
zLB`QX=}VzxovS<6k`0n1Y!^JHwQRg|X+g94CYv5gpC~RPE9{bm>+`)|aKoMON2yVh
zMdTjw!ZMR(>^JRAiKHzUq%rNUU+HaWKIPFzxGrDXkgYZqW%MCzC{&U(VxPHxim)Ej
zzpPd@Oi`72(?ib5q+A~>6x&KQ+%dVTN$7^R=W23PfhTzno0V8k6Hj=WJ#O~;ap3Y5
zcIJjHgJqHEqOw-E_y%hS54!qiV;brB9$FQvIlY%Y&dhvOSF4({H^+nUTHP^W<8v5~
zTz7V@y@e)ysTx!IzMU99wKR<y)z?ytn>tj_CooCmzn7KX=BXtCx2=jG&XnB_%poO@
zc%IAfa#J>M>!;@R$5~Oqc|E78nv}XaSs_Kbsc)*yylXHi?DN!uSv72aBC1AAUY%Lm
zIt4W@RcUpPNuNEvN`bXTL>$g~A6}Z-tc+C=`i<Jg^UWs0>%7XPtMKGIeD!t&@<k38
z@k+~XkRG-7$M0DpsrO?_G?fOpu(Dl+s3Lzy4)tEC)fe6w{(Kx%T24K69^?J2zl|m}
znknPc2$h`ilV{fh0V~25^6GOu66)w0i?Ee48T=3ZJP(4;`nlgVKhJyc+Q20LK)yZn
zk!j`R=*_AotR{g;@0(t0Jkxse8bbT)>U&ZmZeMEHnAn!bCU`}IoEi0s^!d|A@z!q5
z%Vpx3lfF0RkpHBcjZsu@n!EJ?t)Xb)tzfeJB9fY(YT-T)Oc8S9JF}GSWO;3Rk-wT%
zby_*43BqRYX1V}FQxK`ENBR?38L`qde&OuLggfD}O091SB`}PRK?^+=Rk^z_EezaC
z81!`54A<~CGzNJJQ!bG(J~-NqZ7ulbyU)6x%b|c5*-2(biWhVkcyGBpZ2j`VS~lA9
z_Ab#^MLgTKQRub3B;vyDPa$F&YScA%`8TVs-PRLyBvyT%$&_1@U&=0X%7}j1m;f1h
z{7PfZp}W%P?!)lG6}8*!cy8nO&kSw8oxbjR?*8cpj*nk1jhvb%kF1C6k=*9NcP8DA
z;>TJ?ajf&225!=jvwKzIJNJze)1hhRY;r6uww<AtwlH^fi$ONBcMSwDy~7FzUn&XB
z&wgNSB<n$hX;QvrG|8CyVLOHrXMbCNR%g`VSl){Fq2s-S11Wb+esiVn3xT?0mPO!J
zaN|mb0+!AP_Nr(N-4~@4+F6OW7yKUMUVSy5z_c$7>3sDbr`ZoA^0xz9;)h@lf(<jB
zErAC0_I5|VgKyd0`YbQE7UyLchfp<{hlHefpWg~;pR}cU$JFA#8e2`_WS^TMZ}R6F
z`V@LAExBw&pRk`Zw~S9ZL;>?rT_<0#;)7Zt(LxiMnNNb%(z{f$2UUB+_d=LxbA?JD
zO1gEcKp3O&<ENttzA(l_7IkbkqVCw#NGUvfDlLxhKjsUQXzAWjeFd}N<l!5u-<P?n
z{YIovqn|yN*<Q!ew{&a6_Y0@@!D_PGxq<Xd5$vPxSZvHacV~w~qRZ6#T8-LQYK?_u
zZokq0wsD7}V&7JA?rJWM=~yeEr$(r!anQ9d<I8k~<|Gva!S*T3{i(8MLbMgt$Hh_p
zNp1cuonjBfG_KV=3zqr5Shnz{>c=hSn%}i0`d?S@xF^cFix{5Y60ND}D*s8|=w{4(
z@N#Iq#w>9q^i#h;=?ojkmsZ^Pnj6QGb*OWSrhZ5;bE1)FAWdF$^41aX;gSXGyeX2r
zQ<5-wYLZS~`Ls)0o|5{+<-SvnW~!BUA)&!5nj?*~6@hrw!jhatrODkNsudKOE8oNA
z30f916Cm>Hy+(-)5k=wKS<9|Zl{2}Hnsu3`h>p;k9~2Bv!<~Z%*YNwqvBxuyDwVuU
z+VPBdTH00FgK(Y|!=t1W1h*T+Bi|c$Hw_&5y(!A~KIrf2+9i32i-H{BVLqlf+U)`W
zB-UM16Q!%E`5zxg06&CKa641wN*|K-wVhcx7hPfqrT+k`@ERqZ|CkVMiAELOwP1-h
z5J!ebP%JIRv!^Hh^^@3?raJPv7{noDVQHysg^Tx0T(J4h_S_4Ot)D7CXCN9)gECKD
zSx1Au4V7g%iggPm+~Bl_gKu;PhNPBw1j%N%gVO=KEo$X==Tk*aNKq?N_?=fxLlWK#
zWDBc?-{v}uS<z@~URD0I{2=uOojPImZhx^h5!_JKgW(|>out>M48qrk1}iQrYqOfk
z7XFGa=oeZReSfXx{p7)-I4Q$!F1qd$t2%LtRSb-Zc&)0Kn1$$Cu&Ic%o7(Dkj*wI8
zHrjxz*nwvlW|@IHjuVQ=P)|C3{*E#~>XqC61?eV;W|C&+w4K`<3bizdLsHvSwy0X7
zp@^)R6}M;H_I@lcUi@?$WcO>sBUNE)6l^!ms6dH8w_JA(Z-Vc1ck6F<wjB5$0nXJ=
zcgg(x;CFKcZcQ&w-=6L~y;U(iOM$Wuc)&Scyb1smDemB>L#zx9l$?CM#T=Y{9noT8
z-hSYxM*u)sEzHls$rBxfa74Sh`>1ejwRdwN+?`dpEM*NP4E;3GZthpY1JGvSM&?f8
zo=%F+TxzPs%3(?%fHykG0TJfy<rAnBro#0HR|y<nOp9|N{*VNDs&H8uq7a(C0ceDb
zn2eZ&sCJlph!mG9F+w@O*+t1z>+(M!z$X<hx1b<DC2{f4&`_~ZX))gbS8+*2MMZH5
zDRC(&QIJA3@TO0YLzt*fAom5tUl>~GK&JqAzaV#CAH)TwgQIV7kO~(UxQ_S-IJoMh
z9R^PRL%_xJANar^XK`KdK?d9pNFXjHA)z2DAtfrMDE@bTaMjT8pWHry|F9xxPw_AZ
zKXFMh32|@l|HKg(q#g1vdH*FxpgH&<9dT21pl@)16Iwe2?GwcPccFe>!GV95861ed
znEIo)m$QpFsMH_Hf9KKBHAMZB=faGx?%sZXI4-FFPU-CQPddNg0IxqZ&Q9WJFSIwP
zNFazT`Jd>6++F^4K>uk!7c2jpBA~c`;{PY=|FG8|UH;frNz2zM_(G_zmI~K}zDmx%
zPVUZ1e})n+PR>p;vQDB34sr^jG7ge1q7L#d3ZgFZ60&kmj#6j|wA|mIbbSJY9DJP6
z7f>L$m^+9gCoApfASELwDkJACDJml^=_sn;D4{6oEG?}lujr_tC?$>l8-#IyI~WNL
zUVqo>0?HYLl5kR#mvsSs(b3UC5!A*(LDa$FV&sHYP*jw2a6&sd|AD$V2PJist_qiw
zn8d$kP+kr}F1`WYDqIHcKEYxCS}=F_Mw<mWTo_GKPEtlvQC3k>T0%}nTK;d`7U+OL
z(8(__B_+h9r2eowJ1JcT5gkBhbN6;|MT`6Sxc*tVI2I*vGoWD|E@A^j{xc8mMM*ON
z?GWS}VD9VdrNVWgE8+t3Pe>t@{}C)o2EI;z82=EXoiF0;9}%bF;41#-QCa-IBmUoz
z%-noKeg41U{EPITDCz-0p}qm0#sS8T9%!ea{~qVRBK{|mDVXa5g92{q{vS5=|DaR;
z%U!R4yuJZ9|0drI?f=))UkS;}{g0^-h(Ad{$-(I_^9MSFp#Sm?(2jpCIk`FbxT3*q
z`;Sojk9qh1!i^oJ6%`!h9c4tN99%AZ*$FMGC@tX(j$EANWMt5CvMzu5%0JNqeO-b=
z9RkqmuAmQq=M09{pL0eC{P8})Kko2P>QFZ{=p(`sl1dU1Tz?%eLRtJGq5jAAlrK__
zp`p^>4WN9Hl9Y5WJkKoH&(F&p9q^wG^B<1#|3ddS{(m^-|B3zYWPfpM`ug1jgVrs`
zIMnCA75`rl{)J%R?u7OU^!@Kt|2xTFX8Bv)0d@Xs4y<Qjc@+O=ef)=8fJXkm`STBV
z`@bmyf%vzO|B-$FZLWWt>wjc{{}J)Oz3boR`X5=~e?<Im@B07ET*UwCu+cu?MK2WW
zpG)3}2!Xvffup{T7I1#?ueh@^8=N8XyJ8&(0MtttzmVZ>WED6`7^G{cP51-KNFz$d
z`%WJGx(8j1u9mua*yQH)hk)-2jWCpH$@w{Y*v$CFbe^^ek4csC^5&bL(@a$MXlOwD
z7ktLm4~I>)c?=!JhzZGbED2#Rn>0y>0b)h+6ZRc6hP{crgBGzNd5$FkdfBC^yh11s
z?`PXPapP<vM|C>WU)DYQ-Z%B?GC_0^&Ea6Qb+RD|)Q%GcAG+#gPI*KetzrM((J5xs
zl9(16$iPAs*QHTRdcS8P0)Cqos*P2Clc2e>oZuUe$uFlBz_ZWh+_fp{)gipTr$Kqt
zPB`T5B?61mqpG3~ze*Bqrva0r(NL>^3*aYXzNQ++%~`_q;v90NC~aXw{$8xGZfd{V
z5=WPahl0H5<5aWb*DBRl2?>Tnyr^MnoR#Z>i3MDM9AS(d6$&<VtAUg9BpJhH|I>*Z
zacDw73)$gd0eaH8is1tg5#<;TZ6r|!p_Ly@Z4g6^U}zYHN76!gk*fC5RA&NsdYA%i
zFV~?7EC;w5jjxS+Oez2gz#~bT)1g8Ei-h!)^Xb&ZumMUD_85-&de{K92y^eB0j)^h
z9AOVQLno4h`!iq=$(XD3!Q5cuiLoQfkhWr+H=dtUma>iOqDFW&2*eaUhz-1+7u@$$
z2uBBb5c`_)OhNKf4e80(A~L<isb`e%$ewhmhR`A*s1-1uKF427tNg7#n*qYKIRB0-
z9SND+g`K(62rvd*fgo|h&{v?95a~E<yjn6c41$6>XF)MI9V)meFsz5+!X%1-n}WB4
z3pfl&0@Ujvv6DiOuot}?+L+)}_^Aso(&A<n_yptt%BcBtE<g`xpH_y>8*fP92Yx04
z<OF>1P`2oM7qCR24IOHK6C)3us$$yK34nY`d5AzwqX7hY_!tHns3|W3A8`U1a>57l
z$*{H-K*L*1S8UC)<<+GosC}Shni>_b)C{#ZgV^5?2IOdfrTwtbbSxjVb!YE=^Uk+k
zL7<m|@}#6`iYszn7?`K<Vj_ra%YIM?ObE=qs)Av6r3bkw&)}rA+FzGB5ho@9ifhph
zu!F#(kRN2W=zx3(mJHKY4@|&--q{mN0H8e6!$9rldoTpn#ekI`@WYhPpea#AhPC6_
ziI!Zio!n7IFGmSQubrwz&fz`CgE9E+IJNz3@GR4D{Nmhn0Od*Vv%^U0vw)9;G-vS0
zdG^-laosh$C2?vob`yk~vOVJBw-Mk$F`OZ!DVF6SF*t@Z%Bo`yJegst6Kv*#j}^6b
z!wkf*?oVn1?>T}_iLvH7hj>za4FCp52p0zUF7<L`$cop{!+J(=>Wj-j#$z8KP7Rz?
zAqI+zA;g$ZYQ6Xw>N-{`VR33`f~+EZ`(L8UpSm}u!!xM`1_5Ld3qVsCD3{kbM-Mz)
zUK{d#NR+xz3}C#j0!T>|6xkXg4paydM^gj8WNU!?1)#eF0uW+A0ICNJO#H;h#%WQ3
zWJI7c6<lBl&2bjP1b||=0HhcQ5(oGYy&Sv%FA{PQO&I8CCvZOw9+?B=U>czI%v>iX
zP!yCFG?M^S0GKAhRNtAq@Dmh(#DOmH2Y?5RzJCBv{{@hD5q&uTJ^)kG1N5*Te0n+J
zy7wT%numSZxvzm5bRIr<8LvSVnFJsLfEgW-O_Brrr35WR8^ABV1(B!*g+S*P3@iX7
z5t0fCp*$-FT`=Q9859f!MS(^HnV~#6nEYkZ7}D27qJ66zFlJ&}$nP2e!-dT^3%pJX
zp#_~x5AzMUFY)-46o5-nsQYWQ`{4l^WcbN(ce}!uABut2fT9qUxADQ{*F?j;s~nVW
z#I!`#wE&Qe0XGCXJTH<8Q35+;0+1PkMsBo5=NOb(F^GZ~%Hh-V;>HJ1&>Z0KMCDQK
zGeE=eriPC&r~#-hu;I643GhMTGPHaz<%#ftI+mlWc$N)<Mnl=t#DEM*_lJ^Fm;l6?
z0iXdKIM`)CfyhnjVgTuO|2mbD9{6Md!M)+e#b4wn@XSXUG#=GcBU?Zc#BQ6&U1eWh
zOcy@(Tk0Hx-lI-XSwO>1!kUB^lgv9eF#RL-GLA&R^WvN^a}1{Ax)3CI%HlOO52%q3
zsQt$3e(i%v5mf!+e4+ZFmsHsTK95*>i<-t=MvmZ$FP12~(vApY=R(6<-uOTmLrFln
zAO|1I&Uz_`ia2q<0jp`Z0p7peH4e>`r|G%SQ^Em))5O4|2J34ZVtc%M$bgul%u4HH
z4atQUw&#lk*!(-V<&UxqVScQ35HQH09pW#9{P3{F>aEHf0yD%n=PN0<t?Ra?6=#$S
z94}1ECkE+)A`hiEXDA~YivFZ3oLC8fiH@fRi1s^V`Q&?x))RA!h){6~GPBd5Ue7`i
z8Bh$wC|_j}M*6Muxb^-VJn9Wa9fNvN$7~Lw)un?4bRZw-1r?b1aPL7h^*CyP82dbQ
z_`AlTGz%{<b%8UBSldGZ5_gkkLfxMOGn!L?{fhm0d>)|i1h~I}p(geLuybft-RA(s
zvfK^UIXV#5<XEx-7AESChr#uCoy<U$xhG5kgRtV<t9XDspm3VqrgmC=Vf3?!N>#Pm
z=P^(KjBPnOV2`Sjc*7Dd0@&XNqYdaxep(Mf0oYZJ;!QZ1?C{4$fs<<h>w(`9AxH#j
zcki|fEr98YAOla{hyvK0E*id_POw%WLifx`zxI=A^|z?szd{{mR4C$%I<ZlE-R|C)
zCLaLPQ_{UxR7uKuY^!2S3p5&^ci{^$oeToSfL{n+vENGfQK%X0hL^7zAwUcS!6UW7
z@9PYIO)oOi8Dcq`J?|_GiY}6x*@9p&z*Q(l^kP$=BxI%u1oT1Q^+ORWAR(AhKXWL6
zk2x>5JFko{y)dmE(_ALv<hBo%41lW_6;(4#aDxSpq58{t??~WE(fN2@luj2EGupQU
znhCL?%rJsa3pgJB00SNLV2mbb0+^D%aGz`!fC$AfP&HBB>!HLlV4|tCR+e8+gaSBa
zZ5X!zU_U{))V)jyW>_uRrF4LLu>|0$kHj_v9ub0JTTI*g96C2cLRm0QA`jRD7q%wT
z`|Nvu770+|0{{wGsXlh^-%|svN*R1w4?G5dUVIb)l!JdHHhPTD!3lvlRdHef%-$fg
z(Sy-ipbCq$HSs^vfdFuls3Im>0FiOAh{=|?pg7l~0I3l${EOoR&n(I4ys&S!7E}?;
zFZe+5@x?55RZZe#I-(c=GWk8ae=^Vl02r|^_0>+>&p_O`D67L*@XNwc^B@)+Gc)p~
z<@qwGBV6SN1uam(PI>kSUjRUo@<)N`86gu<7r8RB$^qsz?vr`e&~)JbcA4-A7>@8e
zE+b}#TerlDK}VZgq!0iUTBP~|Y0ro+f$GeGi52w6;>{hKc(AH*ADRKkReQ5J(B?+;
zJ`iRV`S~rj*JOY#y-ULCA&%i>OIaixJg_-F#G;I6YS&UX0fq&zUnp(fThc!4J|D7=
z>anHwWj)iNGx|yrGs|8s28R72<ymhLvI~k(+8~|upXWVvz_q_TB*x&PYhbKRXIsiT
z^S){e1i&E7?$_KYPX>NBP6vWn)s*lDwupX&7G=*R#>5A1(*Xp*8-g3tdow#;8-mB=
z@_@uufe?;?Em#v+vIPLjtFV{kOQQ1~2TdfA_shb>x}aDfU8&@>wM%1mrk4!BX<~;}
zYq|;dDvNY*BvDh~&arck><!b84qDY{0cI~Xd;o6-c+S7U_N%qH9+)deZ77V!ci}3x
zRfF&_^S)S{&|7%&0CH{^GfD`$EhE$jGyZv%<J<O#j|>?lZE9?f5;1rnl<W{rhv7K2
zj>)`80)RO#4$E+c+n)h3Fb~8LHHkQo*;Z~KE^W@Wf15bj6eteEk(^rZ*x?n2sO-@J
zy;b(OTkoxTDK67qM8_f3Sy?MMc!5uO0*`8Jw1Xgt7#U%Y9^(>C@aN8coJ%Ajaoi`m
z9uOahAISx|GrAj!q4rY;!i;)3p3nhN#6ZCj)mdD8Hw!QYRoLSOuUoWW+2>B^22EEC
z1{gSZSmF$Mag!c#LUjg{hdc+xO~{{sX8|fZVLhBsj(c7NIuvXg)<JsqW8RzUOd@zm
z7`%QMoo>L->W`7uU?O<iXL?9--g)a9k$o$4?&1oyjM+QiDH4Vnd?lCyGQvp^C-~=?
zp7k&Z&872ZeM6<vWDI!Ca;@p4MsDMELy;jwhu&96B736t)d(-s1Kos}9vjr*C+U+-
zZWq@65Rpw^Xk7PPcfj;C3?&I(6BqPA{uAzTTOv?=bhPjZe$?kvLONowp1z|7g+;~h
zSwO2O&xip@UL>fSo@Xr#RRSCuVse=8^xkjkZT>hDuFS3n$l64+07}yY3a2DzU)Asm
zGWUpqTKx;~>#7vCSHVklg*dcVP5RK)#tt7tHD3>mK8Mx3YgGL@)7$O3GSbni2WBZ&
znW-W&^Lg>ZT+qPyn2HOTk-XrzHyN{a8mLjf9xep2r8*No*W|^N<>SG?gMwaESE`c>
zb_15PcYR{?7h?<*OgK$(_gl=M3gRdCUeDr#)e9G!0G1E%jv7h=2A%-hB*EiR!hJKq
zEmVU+D5m>cd+A2N?rPL})Z2W$Hq`#NGg$XBc@Z7v_{}+|uV_Li?imH5mRA5UXWlnD
zkC_d}%E|*MmkAb3AS@M^_>1tCJTN4?Sa`N9Y&m|J$mJ&#Eb$S=$N6VV6twGQFjOS~
z#;st&bKDjc*X;R&aq>5Dpi5OKwzVB?-41U~^MSnR0;Xn9IQH|1BV&!M3XZlaNs&FR
z#Q;3AGOB0G0(+Dd3f4;bIauG1B6TW^8TqacP<4ADJp9OxJ;ce%!4#I`oF)o9Z#suC
z)>V?qS>r~U*4SY&<Y~b>aKA?CyUFCvg=Yt6YPuvnYBFQA^!$#;*c)>@P`~yyj=1@x
z=q)BBTNjk_>}(o;c5I|~2X{l^R2Yz9q9u6g`n?S~%>wv-^XlnVu2ADGD+-7!SjM9x
z2Ac3ISv2OC6!)S=lD_>S2D}quigyf@#jB$5=0s`ER8u5&rVtGPLW0WiQPII8bsJkq
z@h~N2*rWJm_|6m%){b(Eqo=e2DD#R@4<NQ3wRFH_$DvW@qu6EQooOJfDXx2jw@ld%
zEah-rKy0m%7;I`*X-B@=+J`|TIwf*$N7`q70!=A8yR116l?QwvaooLduny6RC&C83
zZ14f`R!XRVC14;kzZF=D>4AM+BLFlR!5+y5sC1;|SO=z!&o9~yzy|;-jaXSxfNFt1
zd+j|&TB)l1avuN{2HtYO6p{c0shx_yYn)PX5}W>Tw!o1O2+VIl8^qo%z*)kN7(#}c
zEvH*EgO0#+Dh5j^=x^#28Ghg+YGP&mio@1}kFI$Wx9*Bu=tu)-8-Y?`s-V=Wg_`xK
z5{m9_jx!!Wu=4yV38o%W@GCKw0~8Fu4U`(6a}$HwmQaAM+x0CRUu+jraONru;uP#d
z;GJM+8>fo-6lD)VuHaE#0}~ZI5~w^^_ZbI(Uw6fTw07|7(GEeJ)#B*jv4^5LWo!|?
z>;%A~KOO)?6VBv=cLE<UOab_Sf*k~_eUiac3~m?@%58enojp`klj#kb=8-&b=hDQC
zvIsC>wnu;@x+ugA08&4ak}|FvI!BLjCD}^MLk)r@5EQpe2k595C_v^p!tuac$l%1I
z`PFq9K5?+Mjv>srT7r*hem?LPpO+L&2cRg-1`F8R@S~J(Ih)x-0DFC|-^_-G@*+Tp
ztWjy$66FPmLJyn=Nsmtt0BDkVj*D#~?$1@uuN+7Hrt!nGzsKUN2Rsso(StygX9ESJ
zU<e|r0Bf3SU~`1sv5hzvKanQET=y*|5>?h&)L$V38y8&fPAnEA1fI=r9obcsF#x<+
zdm86n4rg6A2oSww9gU+n!&F2=X4m6`Uwisaurz)k!)R*_%(o%rX@Qiah8^XCvrGms
zYub+zsf>U((HtPIXoNzFOPSV?tgm}EWy9C7d4E7d9-wEAA6SMxn2T-4rz9|n8=t(!
zjd$)(aU+N(e*ATnrUE=NuA6X<4}eew={46Goi~n<Ve$d^OR9_FMbT>rXmGDAx{(#0
zp&zjT@(@3Vi8NB`l62ewatekpfEwkE53Jgaw?X`9fNZ+zPz{|??h_Tp=Md1ml~GKV
zW5e7H{=kqQ1za91ci2_C);0+CGFTHH)B+PI#vJ6dqBj6<{q(}_5xOLT4r40(4zy}E
zq<7Z#GNj=vsS#FrAEz9X{=&7c3)w}COv<%;0cn8LQo^Hr<%lt<jL#JE2p<mHh_~Q`
z`mYE6c)fiUywUw4rZB(gtPkHk3F?A2nADPj<aJOC*|(b}A|wWKI-Sii9@l;r2#Y1x
zL;a5K8HNpj{T<M2Cw6mG0HO!p<8CfSKL-17#0fexF%9gTFt~f_?5ckeomqkA<^|%q
zryeBC;-S8yaT*sz(TWt@H4!M2StOb3;*{@!@1Vfe8JHKhYd|K0KG<tlXJ2yBe#dni
z^f(Ga1i-f^)-l><VAD)_CIw5WgoDm=_#+VtzCYpu`B~_x!S)^G7Z(w@;E&-TNdZ?7
zCqMA$87~_9!*}>1U}wsOnY#zRVFO>QfwY7TI00xf5HowyPk>|skxyJy<?t?uaPsTV
z1W_<r2(0^e8d;1~F&uF?9PCAV(b)I+<~e;TCKUjKxZx%We2K?Q(A}1r8YfjuirDR`
z&|pHrR%lO_q~#a~fkE&(l~0BS(8!h8)I<%W9+MmO(UO=PmjE7dw3+HePBA6y9#pM`
zLQYTsmYNc6*G(cPDu92#(4Hn%1EWYJCnrE~Kgqr+))e!V@CFn`F7X}v4l)?6ND$_a
m)RlM)h%*R~x{%|Zp993AEKYd8ZNTUQ09|b(tvU_+nEwU%;Oh1O

literal 0
HcmV?d00001

diff --git a/assets/img/favicon.ico b/assets/img/favicon.ico
new file mode 100644
index 0000000000000000000000000000000000000000..b2a4e1cc707a255e1827533301b543dee83d5921
GIT binary patch
literal 101544
zcmeHQ3v^Z0nLhDF3tFh?XnhRYDK%?m#8gyNlt3$3mlDL4qK;ImgUDJcL=h2*Avg#{
z5yla#c3L8#6qj~2RnrL~4>hBdXI6B07{S~~oA3%D1QQ_KyXXIJ^56b<d+)#R<>clX
z{P$YlJ^P%0pZ)k>d!K#wKG*Xyywf}k8Qw+SwcR{#9K;I?+s-q;mEpY#*9H%6KmW1k
z{iSDymzC9a{#swpJ1`RNyr})Wm*>4aCBy3lN6c^hDRA#EGrT#s=G=Hj_w%|#)@R)G
z(;IF>D&kvM^yo)k!!k1_K9ZB0QBgeQ*PeIUp_^_PlKXg7{f-gOzF3#>QBBK&k@r6H
z>X{>lJoL|}Z5aHYx!)bS{MO%{a!Ph#?we0P*7w){cG6S*7Igo(@YNpg=2d=w$mrZX
zAKdnbSI<A^!q?1Oy+)qbx5vomAG~(a&$^XXFDlC$wtsI`bxGYdr)MwRIPHQn8dkNG
z2QT{|IB)EVsZF)R*A|#iu<3<h)t?_&T%P^Jp<Q>rmHqgEK>gV1b(?;>`i5@j&YDyc
z%C0H+LqXR5p5EN~-ryf)6yAH1_u(ntGvD^k>g{Fz(7W{(@70&TO1SF07P!6UlA2IO
zO~K}?drq&f`t$hJN6R-?7JNAW_Oabweq~N=^`L?a>dluM2UHe(_CF6*j~nyepZ;b0
zn4T@)9Ux>Jqr~AWp1wc-to@&~EUKP<bM=SjzMUUES6Q&>H`i1SDk#c+bm!iZ#lb1n
zPo7g>GG_jmrDo)^)feo~?$J_tPT;geni47T&9cU6Ufl=5JF4qO3?DvxXzR@{^&8r{
z`HkCeY+Z8mOT${{%-J_$*I%Chr^-RWQ1w%X8d~1S%YJ3<j+p$3WNLHts`F;m++Wi_
zG-&@%=6>?4OYbTUF1&tPaS-HH9DMy}ZxjcYPu^P`eEa^2;^5~ir!5XX-Q%3%;J+T&
zJ9b}^jj7B!eR}tzH}Bs*`==LN|HKtl(;Gj#49e*<uAyn^=PRc6uK%Rv$V>fxeqQ~=
z9m~(I|D?MA%cu6c<lmDN&2zKvdA!%4or@pt^ZmwSN1Dd39$#5Je)`|my*S={@!_-M
zS3lX>JiaKj@V!Ha9xW|;<&`<j>wk6Wv(0Z0KGf|vn)7Lo9SzG4J=r|1W&hCDwQJYD
zxzK#{-1(qz&zxOZ@cvV$R)%WIXIF-H&d;9L+;DA@Eg3$y_2jvqy>WX<aqz$T-dr4<
zcj3U|;D2=MSsWaH#WT$fD_ia^EgCpwLh0(q8}BWhSeLvo%o#<`uk1Bw-0dZIKi7O$
z*@WksM=ZQ<PILeM{VNNAVU>ffyz<Jk>jykkb;Xv7>>jryEsEi%mmjD&@V)E{TP{BH
zrOU?5Yku~ee)F1(@{itBIz4!Fa_Q<R4R@E0S(bNCY4xA(`AKPZ{^7jR?8o-qQCf6r
z==tN&;)|y(dg9!I0h><#&A=)Bsv5Sx)4wYF$)i_PU3TYNKd9<+b>2l)Mb}NeylQE~
zCw;DcG_$ID_4Mqjk~`o2VO7OR(_VP<eA&I&<}<83D<Aaio@GTvbLaQT{>R|XvWeC6
znwRGM_L=71y?a*{G=A}6Wx@8}FI~Dg*it>cPyI`m-gVXflEBnuChL3eW+d*{px_4&
z{lmh>raZHG+3K19yW`y{i-Ujt>)29g+oPq`?+!TH@VD7uox@sza%1a%512Tt^~=3m
zZ*0Bi+|OsWURV<<S-b5Fr}vC%-o%|P-fg=ZzJ2WC?G+<FDl)ZAyZV@eEn|kYUNfn7
z=9)ewAkAT|U`az;``^Fmx}Nh7tk3JSvZCmblN0pSZKZ8{@bLA8|JSW1bbC$c?XfE+
zR<9cILhz42f48{0{~fFHr#^ak&HO$iE@^G5s~FL@wf7}C$1c70y{uzD+HMAJpZ{W#
z;tF*uTKnm3Z!O-l96CeqrlC1E{PD-Xcq$X(g?IrvOzctHLWWm+rWZ#0h0Zvf1%*hM
z3UmqY13fM#Oqg&`!us{=jfA?oIwN7jh7AWLOqw)lxdf<to&(<jx&$D1=^)7-X_D-b
z7FYI2lVp!HN%lySWREmS_DGXtk2I*G%3tkY(gDf#k=E6N+P~}rRQ_@wp#HyWdjPe6
zwSP$mbo{5|e@O?_|9`#x|7fV5go8krV1OPMc@O6q2}h3}H4;pU!{Nh+jf8RI#u*9F
z_B{^V0(1#LPHT{4k2Fd4NQ*0bq)D<znk0Lqr8-EmN17yiq(K{1{(=su{6*VGzmV>r
z_Am4SYX9p0B^?0cRsXO4U(x|-?5F-;$N$>@3p$|Vf8Xli8sCY}Z&11~`sU4>jRco`
z7c5v{B)ICgXwf1g!BsxIBgS{gap5W-=phGE-9M=O1szcN`?GJC{!6xxG*^&pA8D@g
zCEG`uD@eAFG*|f!+ehD^_AdxQ<qsO-FR1@l|1ar4B0lW6)2RQ~@t>pvg6j{H)c^Z)
z{&2Ts`$#)(+fL+ON%lJa3;PDY<3DL_4$^$RznwjMwvjMu)F>mtwLW|A-n~XbB0A<L
zO;b~ok>IMopR(KUmFA9-*4+V>zYiZK$sTDcf3<%}2h{%6|NGPd_5Z>cz$b5=V_WtA
z^7vmG`yovl`yoy8ok)|$en?aK>-aB~I-vHi_Alvx%YSu%Zu;&2^PvtBeEHBNOO_Z3
zuK7C`|3aaVk&u@M`v(NL_&;;zOe4Wn|83j0840fPJAnQG<RL+lJ<?SEf)1$sW&MzB
zA8D?j_Am1{0sE9}A8Bg;f{&AYKhj)5^8H9lKz@GHsQk76mvlhwU+rJg0bl+{`+pt(
zOFH1{KXv?<^6}pXFb0v}%l=*Co5_<W8wnq8`q)Tt=}#~iG!nLK*<vKP^iRqgY5Dp2
zB3%6G0Qx(ShXhIXNK^R>--uNC`_m7}_K_ypKGIylB_GN5k*4<VPrfeyq4G~He;vLb
z`vvv?!Wcm9KehU)_Mck*s{QNu-=PEQ|G(M(zXkL|LQ0?iR<2xWB)G=+wY9ZILQPGL
zk>JYTMPIXKjgbJnO)38p$ltYpLy|qxQd)mW_DFLDN%lySWREnzL6SYvQq8{v@>lr_
zK0xI!`hK;4hk~g6`|BUn|NG;g`hOk&Idnk#f9?Mz9nkT=qmP%!CqVz7)@PI>M~)Z?
z_4V~eLQYPOk&v00X(VjixY0;xY-}_VB;7#TtXZ=}IDB_nWz!jTlVp!HN%lySWREmS
z_DGXtk2Fd4NOJ|1zdXKG`OEz23>!>m87hC3zoY}||4(fFkYtZEmA}eg(g7X+b#47n
z`|sNF^E-BQJwLhD=lU(*^?mN$yLTH2F8$rQb*qu!xBgxIewDx4zoY|d|0lM7NU}$o
z%3tL#>44w<Py7G$>X+Jodin3ye*E6A@>lswIw1Ler1{l9_5WTK@KAzp9!oNEeZSSU
zf48ix%t$CHDKQdU{~zyqzTdZRpON6&KPd60gJ`brLrSton#x~Tqaw*3X)1qNf7JeE
z{&ax-sr?Imfck&2?^pjX_<kH4sQ>rpztsQx<6i>(gZh8<|B?>q`2Xlp6K@>w4S4=5
z0v{qFrO$seX3Q`Wnh!M_3DVqAA~fm01CZu=esh)KT3?=k|MtuOGAKiWBzvU!EnmD}
zl0DKS*(1$wQ2C3tukshZ{fNH771aJ^|DpCT^QQy+ujKoYhBhui^xuB#r}9_%OFE$a
zzi<6e`xiQC9sh~GU&ntZ{`hYg^x+ax+W))84?~6wF%lLnT4W@={`%`if@}SU;5x#j
zUAuM}3AwqsMuMyT9YDVi@{l0O9%(9nK?x+;BTbS$(mH{^lI)SD^53w*#Pb7!=+*u^
z!8b_0A8C^BN1EjOkrq$xbY11I{$J7o_5Z2W54C^a{MG(ncm^OpAMYsHKGM|wee0(<
z23Gs`&0m-O!y|wg)&W(5C_lJ2rS!)hd(24i`~JS7qQXeH`s%BVgjBa5@((!B9q1B(
zECxyTNK2`FUHMD0N1DoCls)Q&E2#VhA0XL2(tx?CMgYo?fHIZ<WHG4xRsNC=q*}kl
z{MG-9wjTh?mTVtst{}-CX`*~mO;`D={3RXG@t@kiqyw(`9qHK*Y2SeHUtjRy621hw
z1YiAwi@)XN<wk-_zApOu_3Mp<Wy_Ws3Dc%cGZGT$A0^%*?Rp1*>?=sJN1CgCDt|!-
zfPXIjxcIB`7kq%rzFl<5_K_ypKGG!HN1DoC)_?W?PXDU*ul6tLfUnLUZr1)^7z3*R
zclxJ9`nb4h)c-sAE7?BM{06oEZ?^rr^yhL&AYlj4CB(ITxX(#jwQ7}-@Wtm}7zwWN
zKYSVjz6}u{)ztwbVa19SMgp`k;6SSF8;bW8B-tZPl0DL#GM3UvvPYUEd!)I7BzvSu
zvPYUEd!#|z0uHGB1szfOgZ891sQn9lfZD(Me@O?xbOR2k|5yJn=|FnDzdZKW@t=<W
zaf~lP$NzF4AlW|BzV5-b{_Fv0fP{B|9v1@#4m>Eqwg2<ePd_yhV19R(gsiNrG6_)k
z`y6ob2X61u!PP!V_DG8>d!$LSN1Dn%?Yg7#mwkYXKWP`B&kDHOr}i(e(e}yywBN4s
zSNoTAK<!`cU(x{`|E1l9`>KFs`$&^yk2ICPFZRnf!~4&_Cun;a+R5jCFAk=8qpH&>
z=e&3<u#?ZDi_<gZfO0@N(0LrN{9Sl44lliv>7DL>qYF$!|HCVghW<AbggqEg2*~g*
zf?o)OJ+Jo6HiXZQ@8>MIjbkdDbG#4d5lomc;UI^-@5bK43E%5F$T4Zsq~#otcb<js
zz&Qt;rZn)jW1P1g<B_&woVOk0+WzQ$mn#3dsBal@-N!iBeT;)nb+-PGhB7%0!Z`<a
zB@yI3oM$-f|6gl!g^B+jK7814j2k!3a6s96EZhR;9B}F@@U~-|w;kh=wqu;P9pl>m
z=>OnLT=H!xx$H5{Wsh;-xynD92VD0to@}u7JxaeJGx2=$=FNt~miK}M3k-*ypZ(ou
z`+o3=QQvm9?}zh{g=G1m?T_~NqP%VXbJ=6u4qWyax9?Z^NB{4I&A$}rzdfE6`?uM%
zXB&=DqedAHdpu|V540_B*LhP@li{%Qcij(kyMMsBX%20F^z)p`KYEN8<)gUnW1Q<g
z#%=xV0{Wj1_P`O<UfaHwELmbWZ2x4p-~J!2ygYb5V6gL_Idi7ru=C%xZJXh+?@!>|
zelNw_j&W_jzymIOjN3uwAN@Sv1@!*|(0L9~|84u2JbAL=_;}ODhQrp6U@&MnwrtsA
zIBfmlX)&IkpC1LgJ_($^18F#T+cB=~Pl5+r_88}~$G9DAd2-ofT;(6_KWu)bK>u4n
z=Q)zn|CK9O8V+0DwY9Z|qo$_DaM<bX^EGSM7>;D^Ge&xQe9PO8aczGRJm9j&xE;9c
zG0tU=aaZ87$9S^xiIHCAFFfDG;FrkrBS(%Hj{5p~!;zDdV>mK1GY!YajT;R|V`HP?
zu=QistXYO5+4^>Ldfs-7^R{E0w;kiW?HK26$2f00#_hn{j`5CePqO)G`@h-xZ|kQ$
zo^$DwJ)gOI_in>s>(|z;TMdUR|5Vep{m~py`A0v`y7cdBp#N1+M~<ZW6nlQteqJdn
zD>ED=B_)Q#em`#8`@Vhq42S)E=;Ch-y8S+Yw;ki!{v>#y^51JX54xcK7lF=mB&Gi|
zX3Q`g&4-!|M|AJ-)iZm3)V6Q?4tu<uti3||G7G%z7}xeE!2>RPjC0vz+!a**A;Wo)
z2K^rfI?s`m{@eCq|F5gPp2PlbgFXJS^~L@l-rU?=!(o@7z`6b14&HW*Yx{lhK;=Kg
za2|94{Rfqg3hUsE!<RkS|Ka8GZ}$H(+209=x+Pnm0NlgD*ZyGK4!rFcPqw_M^xFRD
z|8Z9NN59{*`@64!{@dS$xBsUoO22LUu<h0U4==mD_PM=3#{M4$`+s-r^5NXBul=1h
zNFoMpfAoKY*!)!a3w^=~p#QdUTn-mF>~B7b`e1*@+x~95ZU6Rn+3oMJ+uz)Ux&<sG
zYwvKo7<k(;uI-QJfy!U-2Pc63+s0v!pY8Rud~MxVzT;>=|J&c_w7<z|e}fY$V?V#!
z^|9;Q(dTw~+WzQo{iyue`cnHlre8PxHwVx>dYZV$HtV6U8GPj!z8x}%ckF26JJIrM
z=bPs^#^o<|z7W15m&o;S#_{Eg--*Zq`~nd9PQ(w6`#TYQFV$4Yk`VbO0{<QYf7avk
z0x%~W`33~v{|@=(F{I*~4_g1aI^18|nfxCOG9?^@I3Y5w<a_G*dI9^{A=WwHKhF1#
zLpggG_#R=noK&E?<B{r)N3A~yBt`t^Jdg01^PI=|o@A~gd@nLj&*$uUdj778r-wM-
zbDoGUY5jq*oy>pk+hf`(-`mOeb@IN6ul2BWAf_J1+q*2>%l#66*3kMx-;_rF=Yz}$
zF=fs7MsmNw^@qRfkGBst-u~C)*!RkxO{wm9)cS`)arYsoi2r<_VNCvWx$u2;d`}(M
zE56o@ue;^?#?$b<W4tUO&Y$JA{?>j*&f8AlKi{Y3)E~Yti|Y*EkHz<5@iaWn_g@Km
z60bhIpVj&UW7Ek0cruE4ov*{@dz$!uCcc-6ugm0nn7A(Sy-UZTOEK#iFCVRc+djH<
z@t>E=ePcX%@n@@e`+quf-;dV6Z66l5BcJ@|`z)Nc%*Xk>pN+SdgwG4{I>*~P5>F4U
z>-<?v>kr@GNF)D?KsE%Y{_u6_d`&vHYaZv%Wqkb1)9^md(vx`g;d>3J?s$xsK5|{_
z-?mP!1NqO_c}Mu1h%Dl*=jHG6c>l%g%-63U$GUa?u3PIrWQgH&vz^R;P?bnn2QflY
zy2RH5$MZ9M4Jcnv24yBvRshlw`1~PUjs&VZ9uvtkl1A(A<W~TAN{GjQzQ&ZVuZ-}S
z%Z2LzUr)>Z43G2os(k${Upve5hd8eTUq1(=m_h4bUd~w_74HQ8bD>-gCj`DWF{Uo@
z^=N!8CT{>=gUQ!l^0k*xW`H3Poq^;r1JxamT7M8kC-a{Rh5IZ1?jSM`%-1vV{+F-g
z<7@c%`aLL!k7syUybgZiJWs7Z{Kt7m@!u4}`XKNq_VE}>E8FwzV*syrYjYC(h?h^q
z5NK~y%wr5b*!-e%o4<69>$ENc3<gBjY4u8Koff@6j#`sN>#?ZMqA@A00iyL+P%N#z
zqIFkrDXEaI@<&505eM55?iXoI5zQO%{*T9L{R*uef;{%LgVuS#sTk5#K9w7D96)Pg
zsI9aX16mSJPtRFIr{`Ou!;#j!#N$J{$|pUGk~gjGpmiOj=QPjA+7-nwTE9W*W27T}
zpuQ*F<>x~k5mD`+wFx9oY7fnO(OLw$kKTb(dRlux^cY9#Z_`~qy{C?9Kh>AstJ6Dm
zY9Gxp)4K}d4_&8s=af&3BaM;LT|T{MjoE&BFHG&G_mT82n6A^2-v7pEubn^HTe{1)
z>lJlQ?*{0dCcV$3cbPQDOYbm=5A^Ob0X{^PXQxkh`P3fLbGv@z=jk0B)tBD=*y)o!
z?}YN{JxxqGkiRFpruP~2O)?q}P`l~<5%~k5z0?n+yZj=kBO+$|>AeEI6Crufk@^E_
zFI^|Qh?g&1r*|FcE}!PfW452_PjmV-&Y@>n(tm0<&EM19J>4JUNYA$EE+48E4(s3-
zA@YIdb8UIk95l^63i$+phM@5eM8hH7<<lG`&22{Uf!am$sU&YY((@3_pVHhZw2bnh
zd};2hz1fjNy341E;Jg}w=GLhG;Umol(p(_5pXQ)w{*UJVAfG@x;<X#dQ6b&sQ)Ng$
zX`C7!uhD!K*+0!=(Hs`dpFk#L-;@vKo9L15OKJJXU^WJEplwfH&-Xm<WJIEsbfts5
zymo~1rE;iToTq?kiSS%SWS-&_=R5^IGvT~M`2TXz_Rt^U90dE%Q=E5*6-L8F9D9cU
zdlUO_9_T+KfxZWT&#FA&y%Bq$|Er__rNh1f1NI5+>F}AC^1wQW%ccK;!aC#lg6E0P
zk9eJ3!+M}D<kL0!A014G{VzU?Aq}6wFyONnrENc=4&ie~<U0NL2Bycc4UX?HKaAtE
z3r`Di)O{SMN3PSi`{^6~m=A_H-`o$ko8OP)CHmeueb=16U!KT!%CRi0Gv$dq$1y18
zi(^l^&W<?Fid;v&V_R`NhhsU^1H2c<Zx;XY9+W{5zn{Kci1omLa=`mA;Mj+!g*c9N
zu%C~*j$;bc8T2Jse+)Q&z_Ejs7JUhZb$}=u_QzB%_QBXsS!n`rj{1Y4F97?Ya2iaD
z{TT(cBkaGh?`ltjY0+=<fc_c#hHx6}53n!5fTo20AALX20|5J8xD*apAJob4et&E~
n`cd?u=s)2)wwLM*QOFGDMBf9iRG1Myb^a7W3QUXl;JyD3hY>3l

literal 0
HcmV?d00001

diff --git a/assets/img/favicon.png b/assets/img/favicon.png
new file mode 100644
index 0000000000000000000000000000000000000000..653984682f4f19f468dbc177b0cc663d4f4ffd23
GIT binary patch
literal 6230
zcmeHKX;@R&){bZa5d;K>0z!;XMai5H5)%X&1BBTD>Xe+EKp>OJ$pE4v&PG8I>d@kd
zA}Vl|K`9DIK@>p+5d;C1nc4~pE$DUlP68@^w_oq)^W6K-<Vnch`(5u^``v4;&Dj;`
z?`33QVSqp&jF{f;!SG)b%|~As{<ax>&qg379gPiL0R^*_NQqR;;|o9}6e9tVpo-5!
zAXLp+%lLKW^Y!2M+jr}uFe<CYbA{KfHXUWA51$jOQ(aE!yhJ?O^Zs30w+%h<riD#%
zxz(wPj@-N1@uusYyGD}#s2qOHrVJt}w5Lc;pz|i5s|{jmlO8LyblW12y6j!Ao%X*y
zz2>O-s_m+n&e9>@pkniji{|wP2i^gi4%xNZoJc(I=Z0z2HM!2agvBYd?+%KOnOw78
zyCcogPw+zC<Io#>OF})A&{!0*@}aEsV9ff2_^avz*9NQTr%qaJ*td9d*^3lQed{gX
zrWU7$sBGe7TSx8?DEV)Y$5<@-q?l_m1zwgo2vvA(C9U4k>_v5QxS&t9d4%#Tvn<U3
zxQ6(fZMrv$gasT@RVU)MZ9tj<%R*0B|Kz0d7rVe7i}-ND)6PrL0;AHQ=zGvEqH+eZ
z5rM@48O8V56q{~~$%e`@pU|)^tI`v~j+M-^nO;*EYz?9<7LIf+o0iSdlRi@~MQrW9
zb4oHvmDCgQw8{l%#hzjHkB716&Th_b36Ck)ySHcCgrN&$pSQvBCf615#B!HX&vuvn
z0x8CHPNGhnf%&a-dkysGPilO6da&B`$<FT!F3zjH*zk>VcWrJWYWGhFR=3Utx`pM-
zc`>e2Q%kS!FyVN+E}3d49m1E-3Rzi`W9#p{%{;^>S-POC-OfA3mSgLC3qw2t+{9-%
zP<w*c=DEnOKTr7Pbm;QJ*A`J1GJR_DN$CND=)8x)X7{BFTjkGt%@}{ypYB<$Ym{C$
zFn5nr-M;-^hrRP}-M@?L@C)G`^$40PD|<~SPP7o#w`{HtKV(i8u=wYXKkzRrGu%lH
zaG|3o?Yk#p^R``8@?0<Da+^*pNZ4|az4<<Wj_#zl$eG{SD=3}T5@OqX1Ip$7#3?_Q
zxZH8*bw&>Feq>qy`e)%0P=?H_l6>=kP-Q%2yZJnDRn(eOfT8RnE_f;)W7_qkykc*P
z<HGgL&VhptBhFnxmBCQ#)2V#V`$yB_kXY{>A)d~4_R*!M`V@DEEo#IoGf#$Bgr*ks
z$WO{H1m%Nz(}(Y@sXRL@wGw6q<ed)MJLsQqSZ&Z3!kaZ*lhOpm=C@V|lNMkD2Pg|q
z3}7&4)M~v7JD&q?B@a#iB&F30x^J6bPB@a)l~>Ebb@|O$_^8K7_vaeBzTKCgiXU5n
z>Kfx|F_GaamagMWRKrrn#<oi3BB!5Sp^Wm%fgf$2EX`lE=lJfR=ojFL@1%`~R5j`5
z4>F|@zr1nS_3Oi5eVPX{8qC9%tu4wq68@?^p&-LEHa#x$jq9HJEW#ftR}u?MV<((R
zI;hwu;@bus=$=W=dABuI;XPDg-fgPi6W8*pzS;lOCAXQ+vVQC4Rh|nZJhmssPW0%@
zSYn>#m*4o{XynoRSC>XNME!nuqg$<Qak^t%QrV3*pDTQEu-r{8Xnq;QtXf}a(;Rio
zci^A(Eti}HPF}TF?SA*48#Oqqs{y>fI%@l}-W11;&l`Z+w$|_5@<O&5Q~N~MFbeek
z867z%ht5PsSY0*|{JyF`u1=0QH}kjZ<-W5wWnOw^!`|K5DLpt)fIv*x!gq5EWV*S1
z=u~ij`f0;{hW9TnRuyYPPNSypP?)T{8JHGsGJReB0`n6~&Q1@P;|hnS93k1-V-gdh
zuU}89IJZTen>{r<0XZ_Ey}LWT7iISjYoE9C#gi*G{m&WC+a@f@ts<R|u(}65s!mVl
zU`iHjUp;57zG?ZKo7IGFTYIC&FXTyxHT~1*x8JuM16<H64E1-G=T_r{?MCf=tVd6-
z23Ub$n4R;y#2+EocCYM()+OsOg$@JNXAjp@n|bZ32%focRdv-FPr8Ry2s!QLwx22&
z^q}vA=ig}_?!+3-97+YV?_0SVs8=LRGBx=1>~RCj$>H)~2X5rzz78A3+i8X7(xs(0
zFUDJtZf4uOG2W<*o<48h)pW_U-VN)1N(w^eP06!J9Nh4mQ<fQW#BgQb>`hsdtK*W}
zdLu8+T`RG?a^-nsm9?aBq9NnkOZG*<`_2S9==4Vnv0{+YDML9i*Ybzgy+&{|&kq?%
zB>H<&=dW+=Y2DCz?d|$At&fcZ!=#7jG#u|kAdJ;~_~KZ>@}mJ_A%@Krb3lwrD1k2)
z1cJU;C1C^6AcW+A5quE?)n8PCLh`u`)N(Ql$C9{#k$mr1DHsy#9}2`q15_?*v9keP
zMS}^1AjC$hgaVO_redJ9yfpZ?W*Un^Y9UZG1GRz`h;$Q6K_m%7!r;&zD!zh%ayCHH
zrCc5@*xhrC0v<6?kq{)IVX;c35~Czy#L@^Xo=T-+aRe-ZfQAuhS&Rr`tI#6ZTn)u2
zhdU?(q<jg)7mJV@PBup@hZranyp9|rhgSg)6+AiSKr`0T%OEb62@go{eqaEWfWtYV
zaRfAhiXCqcud-Mltwpji6=6NGDz*fR$KbF+;b#^y$V2hT-(OnDLgD)x8w|?Caw!0M
zC_oW3cf3=HKrS2aQ!WEFQ`)!%Tpkt<O6z&NjTe&@_|ZlqV+3C)(OPKG<B?q8BTgch
z3bYt5fCUAh5Dr8JGvhzQLww$+1Nv+~nw5VE1a|k4|1<Oly|l4tb)~tB0lCI0)186R
z#7pCf0X~<e{mCW)L>xe*pec@cE}BGS^UzLIkb@@hKr-mWrtm0u@;EA{NCvS*0H~pY
z$uWGGhr}gPNjx$RO?1SAXc7e=qp3tZ8BGLuJOCtcIb0{+IEnx%AFc$pV0=^>DlSX~
zkntogj!HpuIaB~mB9R@@PL5nWngVjjL@tHE#sgF>mF661u7OMjih#j=nh6xJA)Z(&
zWT5=`BDw0*LMUGdhCpnMXn03F2~Q<ciDW9C=!6@`w+xiZ;3U^@;&B)PL2J$hXr3@5
z8%{R9kR1VHC87xJg63Fg@Md6P*_zsbnYHuqUTAJokPV5Yp<=Osfzrf^)KF?m3P~R;
z7Mh<J&>CvNAXigwV->fA9f8#j>Da#m{|i${q*y8X|M7f+eq?c#LQ1hTIzSr0i2?!W
z?|J?T{E;ab?sYOq8pHfIoBCfk`e?d(!?t2+%sBrc;JVS#XhRb4wNfFG+9p6_1EccG
z*b0!VJpx$A(Ip^~Es6l)ZaY?LALjXgk;WVnk-(!+31}WjC89|LCr32f5n!Y7c!0<w
zlXx5|ZZy+AvdhFgNXeFht`Tq!z~>B?miC;H^R?M$|9LFRND$7Eg*ZG7<{3R+Bps`1
zs2{dR*R&iKi#A>Wx~3)3n3~KBkxL{3J}CWMm=B5af8fU1k0s^5GanBdwRRIrV&I~U
zgaVYJzjgl?z)=Q2J^+ej;=c=hJY-asarX`!^XMFWpTXB7_T&9HmKK`I`7gf4((S+K
z0jB=y<cswED%V%JzDR*D0)Ne}uX25n0$&9FnqB`fxePu%VS^(0A3Y`f{Jc)bHwu3C
z*5&wmxg*|d-p8+H9DrvgOT5Em2*k8*&1XVQiOX4dQV(LXJoLJBW|^VqzM4%VBM>@f
zOn28%r`z%aCBEMWnO81uH%{1B=ekp!g5v$)H=*xIvI6&Q+R7h2^z9Q)-}5keqt~L|
zqV~O!ZfEeF+wo!(tCwcsW;<G<Am(nCb?1hn&Rc^Itgozm-nG8?aX)p(!~nqhp>A<@
zR@NT@{{Hm>$JE<h8?&;rd7FpLs&h>zY((fl3dNac#~PDun+lqjFR$tu)M+lYr0{vt
z9E8U~hQ(gOqD8msp4lNT-1dFm-)}!djmU|&8W1H<ELARVViXk>5pH-VFG$^evi5A;
zAxGR|qw@Hqw(y3=#$6R0sA$#pU*_!h-m0Se7qy;QcE0c*2VL}@s1L@7#R0}8Hl5o$
zoRa*jx-LETm~p)8?Qeg?S|n9g@p7xUgiFHjPt|(EkG+H&Ba=lh8ZpfL@ZVnu!+sEn
zL?ny7p*f9jCmnflx2{0A<b=sC_k?BVE9&dbH@n0a7E%d^t8)k6cYt&TBh^-3v`S7(
zt6ZJpb9z(#=69q41>t)HY@?o{cF1usGt}jiEcR3aWlwR59f9-BueSFfj;*@U(E%`%
z@t%nt^V9sN+<W(~*fz5^a%8q(q61=si=Lidb4yDK-t*e({>dubtdR`KvsN`4dnG)}
zCwZ!|@i)D_z23>(upiXx;*B;DFRz@}XUuOZK#L7`xY-?GE|2NhWLb!a)43Cp8T!7x
seaVekVLv>0+|=|+H+}QWwyh=E^$GJMN4DLDGX}x*@ORH%vNqv=0Dg#ofdBvi

literal 0
HcmV?d00001

diff --git a/assets/tpl/admin_create_clients.html b/assets/tpl/admin_create_clients.html
index fab3dec..ea233ce 100644
--- a/assets/tpl/admin_create_clients.html
+++ b/assets/tpl/admin_create_clients.html
@@ -53,7 +53,7 @@
             }
         }).tokenfield({
             autocomplete: {
-                source: [{{range $i, $u :=.Users}}{{$u.Mail}},{{end}}],
+                source: [{{range $i, $u :=.Users}}{{$u.Email}},{{end}}],
                 delay: 100
             },
             showAutocompleteOnFocus: false
diff --git a/assets/tpl/admin_edit_user.html b/assets/tpl/admin_edit_user.html
new file mode 100644
index 0000000..97729b0
--- /dev/null
+++ b/assets/tpl/admin_edit_user.html
@@ -0,0 +1,87 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+    <meta charset="utf-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1.0, shrink-to-fit=no">
+    <title>{{ .Static.WebsiteTitle }} - Users</title>
+    <meta name="description" content="{{ .Static.WebsiteTitle }}">
+    <link rel="stylesheet" href="/css/bootstrap.min.css">
+    <link rel="stylesheet" href="/fonts/fontawesome-all.min.css">
+    <link rel="stylesheet" href="/css/custom.css">
+</head>
+
+<body id="page-top" class="d-flex flex-column min-vh-100">
+{{template "prt_nav.html" .}}
+<div class="container mt-5">
+    {{if eq .User.CreatedAt .Epoch}}
+    <h1>Create a new user</h1>
+    {{else}}
+    <h1>Edit user <strong>{{.User.Email}}</strong></h1>
+    {{end}}
+
+    {{template "prt_flashes.html" .}}
+
+    <form method="post" enctype="multipart/form-data">
+        {{if eq .User.CreatedAt .Epoch}}
+        <div class="form-row">
+            <div class="form-group required col-md-12">
+                <label for="inputEmail">Email</label>
+                <input type="text" name="email" class="form-control" id="inputEmail" value="{{.User.Email}}">
+            </div>
+        </div>
+        {{else}}
+        <input type="hidden" name="email" value="{{.User.Email}}">
+        {{end}}
+        <div class="form-row">
+            <div class="form-group required col-md-12">
+                <label for="inputFirstname">Firstname</label>
+                <input type="text" name="firstname" class="form-control" id="inputFirstname" value="{{.User.Firstname}}">
+            </div>
+        </div>
+        <div class="form-row">
+            <div class="form-group required col-md-12">
+                <label for="inputLastname">Lastname</label>
+                <input type="text" name="lastname" class="form-control" id="inputLastname" value="{{.User.Lastname}}">
+            </div>
+        </div>
+        <div class="form-row">
+            <div class="form-group col-md-12">
+                <label for="inputPhone">Phone</label>
+                <input type="text" name="phone" class="form-control" id="inputPhone" value="{{.User.Phone}}">
+            </div>
+        </div>
+        <div class="form-row">
+            <div class="form-group col-md-12 {{if eq .User.CreatedAt .Epoch}}required{{end}}">
+                <label for="inputPassword">Password</label>
+                <input type="password" name="password" class="form-control" id="inputPassword">
+            </div>
+        </div>
+        <div class="form-row">
+            <div class="form-group col-md-12">
+                <div class="custom-control custom-switch">
+                    <input class="custom-control-input" name="isadmin" type="checkbox" value="true" id="inputAdmin" {{if .User.IsAdmin}}checked{{end}}>
+                    <label class="custom-control-label" for="inputAdmin">
+                        Administrator
+                    </label>
+                </div>
+                <div class="custom-control custom-switch">
+                    <input class="custom-control-input" name="isdisabled" type="checkbox" value="true" id="inputDisabled" {{if .User.DeletedAt.Valid}}checked{{end}}>
+                    <label class="custom-control-label" for="inputDisabled">
+                        Disabled
+                    </label>
+                </div>
+            </div>
+        </div>
+
+        <button type="submit" class="btn btn-primary">Save</button>
+        <a href="/admin/users/" class="btn btn-secondary">Cancel</a>
+    </form>
+</div>
+{{template "prt_footer.html" .}}
+<script src="/js/jquery.min.js"></script>
+<script src="/js/bootstrap.bundle.min.js"></script>
+<script src="/js/jquery.easing.js"></script>
+<script src="/js/custom.js"></script>
+</body>
+
+</html>
\ No newline at end of file
diff --git a/assets/tpl/admin_index.html b/assets/tpl/admin_index.html
index 40edc5e..7e7afd3 100644
--- a/assets/tpl/admin_index.html
+++ b/assets/tpl/admin_index.html
@@ -84,13 +84,11 @@
         </div>
         <div class="mt-4 row">
             <div class="col-sm-10 col-12">
-                <h2 class="mt-2">Current VPN Users</h2>
+                <h2 class="mt-2">Current VPN Peers</h2>
             </div>
             <div class="col-sm-2 col-12 text-right">
-                {{if not .Static.LdapDisabled}}
-                <a href="/admin/peer/createldap" title="Add LDAP users" class="btn btn-primary"><i class="fa fa-fw fa-user-plus"></i></a>
-                {{end}}
-                <a href="/admin/peer/create" title="Manually add a user" class="btn btn-primary"><i class="fa fa-fw fa-plus"></i>M</a>
+                <a href="/admin/peer/createldap" title="Add multiple peers" class="btn btn-primary"><i class="fa fa-fw fa-user-plus"></i></a>
+                <a href="/admin/peer/create" title="Manually add a peer" class="btn btn-primary"><i class="fa fa-fw fa-plus"></i>M</a>
             </div>
         </div>
         <div class="mt-2 table-responsive">
@@ -98,11 +96,11 @@
                 <thead>
                 <tr>
                     <th scope="col" class="list-image-cell"></th><!-- Status and expand -->
-                    <th scope="col"><a href="?sort=id">Identifier <i class="fa fa-fw {{.Session.GetSortIcon "id"}}"></i></a></th>
-                    <th scope="col"><a href="?sort=pubKey">Public Key <i class="fa fa-fw {{.Session.GetSortIcon "pubKey"}}"></i></a></th>
-                    <th scope="col"><a href="?sort=mail">E-Mail <i class="fa fa-fw {{.Session.GetSortIcon "mail"}}"></i></a></th>
-                    <th scope="col"><a href="?sort=ip">IP's <i class="fa fa-fw {{.Session.GetSortIcon "ip"}}"></i></a></th>
-                    <th scope="col"><a href="?sort=handshake">Handshake <i class="fa fa-fw {{.Session.GetSortIcon "handshake"}}"></i></a></th>
+                    <th scope="col"><a href="?sort=id">Identifier <i class="fa fa-fw {{.Session.GetSortIcon "peers" "id"}}"></i></a></th>
+                    <th scope="col"><a href="?sort=pubKey">Public Key <i class="fa fa-fw {{.Session.GetSortIcon "peers" "pubKey"}}"></i></a></th>
+                    <th scope="col"><a href="?sort=mail">E-Mail <i class="fa fa-fw {{.Session.GetSortIcon "peers" "mail"}}"></i></a></th>
+                    <th scope="col"><a href="?sort=ip">IP's <i class="fa fa-fw {{.Session.GetSortIcon "peers" "ip"}}"></i></a></th>
+                    <th scope="col"><a href="?sort=handshake">Handshake <i class="fa fa-fw {{.Session.GetSortIcon "peers" "handshake"}}"></i></a></th>
                     <th scope="col"></th><!-- Actions -->
                 </tr>
                 </thead>
@@ -144,15 +142,14 @@
                                         <div class="tab-content" id="tabContent{{$p.UID}}">
                                             <div id="t1{{$p.UID}}" class="tab-pane fade active show">
                                                 <h4>User details</h4>
-                                                {{if not $p.LdapUser}}
-                                                    <p>No LDAP user-information available...</p>
+                                                {{if not $p.User}}
+                                                    <p>No user information available...</p>
                                                 {{else}}
                                                     <ul>
-                                                        <li>Firstname: {{$p.LdapUser.Firstname}}</li>
-                                                        <li>Lastname: {{$p.LdapUser.Lastname}}</li>
-                                                        <li>Phone: {{index $p.LdapUser.RawLdapData.Attributes "telephoneNumber"}}</li>
-                                                        <li>Mail: {{$p.LdapUser.Mail}}</li>
-                                                        <li>Department: {{index $p.LdapUser.RawLdapData.Attributes "department"}}</li>
+                                                        <li>Firstname: {{$p.User.Firstname}}</li>
+                                                        <li>Lastname: {{$p.User.Lastname}}</li>
+                                                        <li>Phone: {{$p.User.Phone}}</li>
+                                                        <li>Mail: {{$p.User.Email}}</li>
                                                     </ul>
                                                 {{end}}
                                                 <h4>Connection / Traffic</h4>
diff --git a/assets/tpl/admin_user_index.html b/assets/tpl/admin_user_index.html
new file mode 100644
index 0000000..6c431e8
--- /dev/null
+++ b/assets/tpl/admin_user_index.html
@@ -0,0 +1,67 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+    <meta charset="utf-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1.0, shrink-to-fit=no">
+    <title>{{ .Static.WebsiteTitle }} - Users</title>
+    <meta name="description" content="{{ .Static.WebsiteTitle }}">
+    <link rel="stylesheet" href="/css/bootstrap.min.css">
+    <link rel="stylesheet" href="/fonts/fontawesome-all.min.css">
+    <link rel="stylesheet" href="/css/custom.css">
+</head>
+
+<body id="page-top" class="d-flex flex-column min-vh-100">
+    {{template "prt_nav.html" .}}
+    <div class="container mt-5">
+        <h1>WireGuard VPN Users</h1>
+        {{template "prt_flashes.html" .}}
+        <div class="mt-4 row">
+            <div class="col-sm-10 col-12">
+                <h2 class="mt-2">All Users</h2>
+            </div>
+            <div class="col-sm-2 col-12 text-right">
+                <a href="/admin/users/create" title="Add a user" class="btn btn-primary"><i class="fa fa-fw fa-plus"></i>M</a>
+            </div>
+        </div>
+        <div class="mt-2 table-responsive">
+            <table class="table table-sm" id="userTable">
+                <thead>
+                <tr>
+                    <th scope="col"><a href="?sort=email">E-Mail <i class="fa fa-fw {{.Session.GetSortIcon "users" "email"}}"></i></a></th>
+                    <th scope="col"><a href="?sort=lastname">Lastname <i class="fa fa-fw {{.Session.GetSortIcon "users" "lastname"}}"></i></a></th>
+                    <th scope="col"><a href="?sort=firstname">Firstname <i class="fa fa-fw {{.Session.GetSortIcon "users" "firstname"}}"></i></a></th>
+                    <th scope="col"><a href="?sort=source">Source <i class="fa fa-fw {{.Session.GetSortIcon "users" "source"}}"></i></a></th>
+                    <th scope="col"><a href="?sort=admin">Is Admin <i class="fa fa-fw {{.Session.GetSortIcon "users" "admin"}}"></i></a></th>
+                    <th scope="col"></th><!-- Actions -->
+                </tr>
+                </thead>
+                <tbody>
+                {{range $i, $u :=.Users}}
+                    <tr id="user-pos-{{$i}}" {{if $u.DeletedAt.Valid}}class="disabled-peer"{{end}}>
+                        <td>{{$u.Email}}</td>
+                        <td>{{$u.Lastname}}</td>
+                        <td>{{$u.Firstname}}</td>
+                        <td>{{$u.Source}}</td>
+                        <td>{{if $u.IsAdmin}}True{{else}}False{{end}}</td>
+                        <td>
+                            {{if eq $.Session.IsAdmin true}}
+                            {{if eq $u.Source "db"}}
+                                <a href="/admin/users/edit?pkey={{$u.Email}}" title="Edit user"><i class="fas fa-cog"></i></a>
+                            {{end}}
+                            {{end}}
+                        </td>
+                    </tr>
+                {{end}}
+                </tbody>
+            </table>
+            <p>Currently listed users: <strong>{{len .Users}}</strong></p>
+        </div>
+    </div>
+    {{template "prt_footer.html" .}}
+    <script src="/js/jquery.min.js"></script>
+    <script src="/js/bootstrap.bundle.min.js"></script>
+    <script src="/js/jquery.easing.js"></script>
+    <script src="/js/custom.js"></script>
+</body>
+
+</html>
\ No newline at end of file
diff --git a/assets/tpl/index.html b/assets/tpl/index.html
index 1536271..f46a2eb 100644
--- a/assets/tpl/index.html
+++ b/assets/tpl/index.html
@@ -13,18 +13,69 @@
 
 <body id="page-top" class="d-flex flex-column min-vh-100">
     {{template "prt_nav.html" .}}
-    <div class="container mt-5">
+    <div class="container mt-2">
         <div class="page-header">
             <h1>WireGuard VPN Portal</h1>
         </div>
         {{template "prt_flashes.html" .}}
         <p class="lead">WireGuard® is an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography. It aims to be faster, simpler, leaner, and more useful than IPsec, while avoiding the massive headache. It intends to be considerably more performant than OpenVPN. </p>
+        <h3 class="mt-3">More Information</h3>
+        <div class="row">
+            <div class="col-lg-4">
+                <div class="card border-secondary mb-4" style="min-height: 15rem;">
+                    <div class="card-header">WireGuard Installation</div>
+                    <div class="card-body">
+                        <h4 class="card-title">Installation</h4>
+                        <p class="card-text">Installation instructions for client software can be found on the official WireGuard website.</p>
+                        <a href="https://www.wireguard.com/install/" title="WireGuard Installation" target="_blank" class="btn btn-primary btn-sm">Open Instructions</a>
+                    </div>
+                </div>
+            </div>
+            <div class="col-lg-4">
+                <div class="card border-secondary mb-4" style="min-height: 15rem;">
+                    <div class="card-header">About WireGuard</div>
+                    <div class="card-body">
+                        <h4 class="card-title">About</h4>
+                        <p class="card-text">WireGuard® is an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography.</p>
+                        <a href="https://www.wireguard.com/" title="WireGuard" target="_blank" class="btn btn-primary btn-sm">More details</a>
+                    </div>
+                </div>
+            </div>
+            <div class="col-lg-4">
+                <div class="card border-secondary mb-4" style="min-height: 15rem;">
+                    <div class="card-header">About WireGuard Portal</div>
+                    <div class="card-body">
+                        <h4 class="card-title">WireGuard Portal</h4>
+                        <p class="card-text">WireGuard Portal is a simple, web based configuration portal for WireGuard.</p>
+                        <a href="https://github.com/h44z/wg-portal/" title="WireGuard Portal" target="_blank" class="btn btn-primary btn-sm">More details</a>
+                    </div>
+                </div>
+            </div>
+        </div>
 
-        <h3>VPN Profiles and configuration</h3>
-        <p>You can access your personal VPN configurations via your Userprofile: <a href="/user/profile" class="btn btn-primary" title="User-Profile">Open Userprofile</a></p>
+        <div class="jumbotron jumbotron-home">
+            <h2 class="display-5">VPN Profiles</h2>
+            <p class="lead">You can access and download your personal VPN configurations via your Userprofile.</p>
+            <hr class="my-4">
+            <p>To find all your configured profiles click on the button below.</p>
+            <p class="lead">
+                <a href="/user/profile" class="btn btn-primary btn-lg" title="User-Profile">Open My Profile</a>
+            </p>
+        </div>
+
+        {{with eq $.Session.LoggedIn true}}{{with eq $.Session.IsAdmin true}}
+        <div class="jumbotron jumbotron-home">
+            <h2 class="display-5">Administration Area</h2>
+            <p class="lead">In the administration area you can manage WireGuard peers and the server interface as well as users that are allowed to log in to the WireGuard Portal.</p>
+            <hr class="my-4">
+            <p>To find all your configured profiles click on the button below.</p>
+            <p class="lead">
+                <a href="/admin/" class="btn btn-primary btn-lg" title="WireGuard Administration">Open WireGuard Administration</a>
+                <a href="/admin/users/" class="btn btn-primary btn-lg" title="User Administration">Open User Administration</a>
+            </p>
+        </div>
+        {{end}}{{end}}
 
-        <h3>Client Software</h3>
-        <p>Installation instructions for client software can be found on the official WireGuard website: <a href="https://www.wireguard.com/install/" title="WireGuard" target="_blank">https://www.wireguard.com/</a> </p>
     </div>
     {{template "prt_footer.html" .}}
     <script src="/js/jquery.min.js"></script>
diff --git a/assets/tpl/prt_nav.html b/assets/tpl/prt_nav.html
index 79178a5..6ab5d9b 100644
--- a/assets/tpl/prt_nav.html
+++ b/assets/tpl/prt_nav.html
@@ -7,19 +7,28 @@
     <div id="topNavbar" class="navbar-collapse collapse">
         <ul class="navbar-nav mr-auto mt-2 mt-lg-0">
             <li class="nav-spacer"></li>
-            {{with eq $.Session.LoggedIn true}}{{with eq $.Session.IsAdmin true}}{{with eq $.Route "/admin/"}}
+            {{with eq $.Session.LoggedIn true}}{{with eq $.Session.IsAdmin true}}
+            {{with eq $.Route "/admin/"}}
             <form class="form-inline my-2 my-lg-0" method="get">
-                <input class="form-control mr-sm-2" name="search" type="search" placeholder="Search" aria-label="Search" value="{{$.Session.Search}}">
+                <input class="form-control mr-sm-2" name="search" type="search" placeholder="Search" aria-label="Search" value="{{index $.Session.Search "peers"}}">
                 <button class="btn btn-outline-success my-2 my-sm-0" type="submit"><i class="fa fa-search"></i></button>
             </form>
-            {{end}}{{end}}{{end}}
+            {{end}}
+            {{with eq $.Route "/admin/users/"}}
+            <form class="form-inline my-2 my-lg-0" method="get">
+                <input class="form-control mr-sm-2" name="search" type="search" placeholder="Search" aria-label="Search" value="{{index $.Session.Search "users"}}">
+                <button class="btn btn-outline-success my-2 my-sm-0" type="submit"><i class="fa fa-search"></i></button>
+            </form>
+            {{end}}
+            {{end}}{{end}}
         </ul>
         {{if eq $.Session.LoggedIn true}}
             <div class="nav-item dropdown">
                 <a href="#" class="navbar-text dropdown-toggle" data-toggle="dropdown">{{$.Session.Firstname}} {{$.Session.Lastname}} <span class="caret"></span></a>
                 <div class="dropdown-menu">
                     {{with eq $.Session.LoggedIn true}}{{with eq $.Session.IsAdmin true}}
-                        <a class="dropdown-item" href="/admin/"><i class="fas fa-file-export"></i> Administration</a>
+                        <a class="dropdown-item" href="/admin/"><i class="fas fa-cogs"></i> Administration</a>
+                        <a class="dropdown-item" href="/admin/users/"><i class="fas fa-users-cog"></i> User Management</a>
                         <div class="dropdown-divider"></div>
                     {{end}}{{end}}
                     <a class="dropdown-item" href="/user/profile"><i class="fas fa-user"></i> Profile</a>
diff --git a/assets/tpl/user_index.html b/assets/tpl/user_index.html
index df90f74..33739a3 100644
--- a/assets/tpl/user_index.html
+++ b/assets/tpl/user_index.html
@@ -21,11 +21,11 @@
                 <thead>
                 <tr>
                     <th scope="col" class="list-image-cell"></th><!-- Status and expand -->
-                    <th scope="col"><a href="?sort=id">Identifier <i class="fa fa-fw {{.Session.GetSortIcon "id"}}"></i></a></th>
-                    <th scope="col"><a href="?sort=pubKey">Public Key <i class="fa fa-fw {{.Session.GetSortIcon "pubKey"}}"></i></a></th>
-                    <th scope="col"><a href="?sort=mail">E-Mail <i class="fa fa-fw {{.Session.GetSortIcon "mail"}}"></i></a></th>
-                    <th scope="col"><a href="?sort=ip">IP's <i class="fa fa-fw {{.Session.GetSortIcon "ip"}}"></i></a></th>
-                    <th scope="col"><a href="?sort=handshake">Handshake <i class="fa fa-fw {{.Session.GetSortIcon "handshake"}}"></i></a></th>
+                    <th scope="col"><a href="?sort=id">Identifier <i class="fa fa-fw {{.Session.GetSortIcon "userpeers" "id"}}"></i></a></th>
+                    <th scope="col"><a href="?sort=pubKey">Public Key <i class="fa fa-fw {{.Session.GetSortIcon "userpeers" "pubKey"}}"></i></a></th>
+                    <th scope="col"><a href="?sort=mail">E-Mail <i class="fa fa-fw {{.Session.GetSortIcon "userpeers" "mail"}}"></i></a></th>
+                    <th scope="col"><a href="?sort=ip">IP's <i class="fa fa-fw {{.Session.GetSortIcon "userpeers" "ip"}}"></i></a></th>
+                    <th scope="col"><a href="?sort=handshake">Handshake <i class="fa fa-fw {{.Session.GetSortIcon "userpeers" "handshake"}}"></i></a></th>
                 </tr>
                 </thead>
                 <tbody>
@@ -58,15 +58,14 @@
                                         <div class="tab-content" id="tabContent{{$p.UID}}">
                                             <div id="t1{{$p.UID}}" class="tab-pane fade active show">
                                                 <h4>User details</h4>
-                                                {{if not $p.LdapUser}}
-                                                    <p>No LDAP user-information available...</p>
+                                                {{if not $p.User}}
+                                                    <p>No user information available...</p>
                                                 {{else}}
                                                     <ul>
-                                                        <li>Firstname: {{$p.LdapUser.Firstname}}</li>
-                                                        <li>Lastname: {{$p.LdapUser.Lastname}}</li>
-                                                        <li>Phone: {{$p.UID}}</li>
-                                                        <li>Mail: {{$p.LdapUser.Mail}}</li>
-                                                        <li>Department: {{$p.UID}}</li>
+                                                        <li>Firstname: {{$p.User.Firstname}}</li>
+                                                        <li>Lastname: {{$p.User.Lastname}}</li>
+                                                        <li>Phone: {{$p.User.Phone}}</li>
+                                                        <li>Mail: {{$p.User.Email}}</li>
                                                     </ul>
                                                 {{end}}
                                                 <h4>Traffic</h4>
diff --git a/efs.go b/efs.go
new file mode 100644
index 0000000..cb7469b
--- /dev/null
+++ b/efs.go
@@ -0,0 +1,12 @@
+package wg_portal
+
+import "embed"
+
+//go:embed assets/tpl/*
+var Templates embed.FS
+
+//go:embed assets/css/*
+//go:embed assets/fonts/*
+//go:embed assets/img/*
+//go:embed assets/js/*
+var Statics embed.FS
diff --git a/go.mod b/go.mod
index c6f8168..8096c73 100644
--- a/go.mod
+++ b/go.mod
@@ -1,6 +1,6 @@
 module github.com/h44z/wg-portal
 
-go 1.14
+go 1.16
 
 require (
 	github.com/gin-contrib/sessions v0.0.3
@@ -11,12 +11,15 @@ require (
 	github.com/jordan-wright/email v4.0.1-0.20200917010138-e1c00e156980+incompatible
 	github.com/kelseyhightower/envconfig v1.4.0
 	github.com/milosgajdos/tenus v0.0.3
+	github.com/pkg/errors v0.9.1
 	github.com/sirupsen/logrus v1.7.0
 	github.com/skip2/go-qrcode v0.0.0-20200617195104-da1b6568686e
 	github.com/tatsushid/go-fastping v0.0.0-20160109021039-d7bb493dee3e
 	github.com/toorop/gin-logrus v0.0.0-20200831135515-d2ee50d38dae
+	golang.org/x/crypto v0.0.0-20200604202706-70a84ac30bf9
 	golang.zx2c4.com/wireguard/wgctrl v0.0.0-20200609130330-bd2cb7843e1b
 	gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c
+	gorm.io/driver/mysql v1.0.4
 	gorm.io/driver/sqlite v1.1.3
-	gorm.io/gorm v1.20.5
+	gorm.io/gorm v1.20.12
 )
diff --git a/internal/authentication/provider.go b/internal/authentication/provider.go
new file mode 100644
index 0000000..b8420c4
--- /dev/null
+++ b/internal/authentication/provider.go
@@ -0,0 +1,31 @@
+package authentication
+
+import (
+	"github.com/gin-gonic/gin"
+)
+
+type AuthContext struct {
+	Provider AuthProvider
+	Username string // email or username
+	Password string // optional for OIDC
+	Callback string // callback for OIDC
+}
+
+type AuthProviderType string
+
+const (
+	AuthProviderTypePassword AuthProviderType = "password"
+	AuthProviderTypeOauth    AuthProviderType = "oauth"
+)
+
+type AuthProvider interface {
+	GetName() string
+	GetType() AuthProviderType
+	GetPriority() int // lower number = higher priority
+
+	Login(*AuthContext) (string, error)
+	Logout(*AuthContext) error
+	GetUserModel(*AuthContext) (*User, error)
+
+	SetupRoutes(routes *gin.RouterGroup)
+}
diff --git a/internal/authentication/providers/ldap/provider.go b/internal/authentication/providers/ldap/provider.go
new file mode 100644
index 0000000..9fa6e83
--- /dev/null
+++ b/internal/authentication/providers/ldap/provider.go
@@ -0,0 +1,203 @@
+package ldap
+
+import (
+	"crypto/tls"
+	"fmt"
+	"strings"
+
+	"github.com/gin-gonic/gin"
+	"github.com/go-ldap/ldap/v3"
+	"github.com/h44z/wg-portal/internal/authentication"
+	ldapconfig "github.com/h44z/wg-portal/internal/ldap"
+	"github.com/h44z/wg-portal/internal/users"
+	"github.com/pkg/errors"
+)
+
+// Provider provide login with password method
+type Provider struct {
+	config *ldapconfig.Config
+}
+
+func New(cfg *ldapconfig.Config) (*Provider, error) {
+	p := &Provider{
+		config: cfg,
+	}
+
+	// test ldap connectivity
+	client, err := p.open()
+	if err != nil {
+		return nil, errors.Wrap(err, "unable to open ldap connection")
+	}
+	defer p.close(client)
+
+	return p, nil
+}
+
+// GetName return provider name
+func (Provider) GetName() string {
+	return string(users.UserSourceLdap)
+}
+
+// GetType return provider type
+func (Provider) GetType() authentication.AuthProviderType {
+	return authentication.AuthProviderTypePassword
+}
+
+// GetPriority return provider priority
+func (Provider) GetPriority() int {
+	return 1 // LDAP password provider
+}
+
+func (provider Provider) SetupRoutes(routes *gin.RouterGroup) {
+	// nothing todo here
+}
+
+func (provider Provider) Login(ctx *authentication.AuthContext) (string, error) {
+	username := strings.ToLower(ctx.Username)
+	password := ctx.Password
+
+	// Validate input
+	if strings.Trim(username, " ") == "" || strings.Trim(password, " ") == "" {
+		return "", errors.New("empty username or password")
+	}
+
+	client, err := provider.open()
+	if err != nil {
+		return "", errors.Wrap(err, "unable to open ldap connection")
+	}
+	defer provider.close(client)
+
+	// Search for the given username
+	attrs := []string{"dn", provider.config.EmailAttribute}
+	if provider.config.DisabledAttribute != "" {
+		attrs = append(attrs, provider.config.DisabledAttribute)
+	}
+	searchRequest := ldap.NewSearchRequest(
+		provider.config.BaseDN,
+		ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false,
+		fmt.Sprintf("(&(objectClass=%s)(%s=%s))", provider.config.UserClass, provider.config.EmailAttribute, username),
+		attrs,
+		nil,
+	)
+
+	sr, err := client.Search(searchRequest)
+	if err != nil {
+		return "", errors.Wrap(err, "unable to find user in ldap")
+	}
+
+	if len(sr.Entries) != 1 {
+		return "", errors.Wrapf(err, "invalid amount of ldap entries (%d)", len(sr.Entries))
+	}
+
+	userDN := sr.Entries[0].DN
+
+	// Check if user is disabled, if so deny login
+	if provider.config.DisabledAttribute != "" {
+		uac := sr.Entries[0].GetAttributeValue(provider.config.DisabledAttribute)
+		switch provider.config.Type {
+		case ldapconfig.TypeActiveDirectory:
+			if ldapconfig.IsActiveDirectoryUserDisabled(uac) {
+				return "", errors.Wrapf(err, "user is disabled")
+			}
+		case ldapconfig.TypeOpenLDAP:
+			if ldapconfig.IsOpenLdapUserDisabled(uac) {
+				return "", errors.Wrapf(err, "user is disabled")
+			}
+		}
+	}
+
+	// Bind as the user to verify their password
+	err = client.Bind(userDN, password)
+	if err != nil {
+		return "", errors.Wrapf(err, "invalid credentials")
+	}
+
+	return sr.Entries[0].GetAttributeValue(provider.config.EmailAttribute), nil
+}
+
+func (provider Provider) Logout(context *authentication.AuthContext) error {
+	return nil // nothing todo here
+}
+
+func (provider Provider) GetUserModel(ctx *authentication.AuthContext) (*authentication.User, error) {
+	username := strings.ToLower(ctx.Username)
+
+	// Validate input
+	if strings.Trim(username, " ") == "" {
+		return nil, errors.New("empty username")
+	}
+
+	client, err := provider.open()
+	if err != nil {
+		return nil, errors.Wrap(err, "unable to open ldap connection")
+	}
+	defer provider.close(client)
+
+	// Search for the given username
+	attrs := []string{"dn", provider.config.EmailAttribute, provider.config.FirstNameAttribute, provider.config.LastNameAttribute,
+		provider.config.PhoneAttribute, provider.config.GroupMemberAttribute}
+	if provider.config.DisabledAttribute != "" {
+		attrs = append(attrs, provider.config.DisabledAttribute)
+	}
+	searchRequest := ldap.NewSearchRequest(
+		provider.config.BaseDN,
+		ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false,
+		fmt.Sprintf("(&(objectClass=%s)(%s=%s))", provider.config.UserClass, provider.config.EmailAttribute, username),
+		attrs,
+		nil,
+	)
+
+	sr, err := client.Search(searchRequest)
+	if err != nil {
+		return nil, errors.Wrap(err, "unable to find user in ldap")
+	}
+
+	if len(sr.Entries) != 1 {
+		return nil, errors.Wrapf(err, "invalid amount of ldap entries (%d)", len(sr.Entries))
+	}
+
+	user := &authentication.User{
+		Firstname: sr.Entries[0].GetAttributeValue(provider.config.FirstNameAttribute),
+		Lastname:  sr.Entries[0].GetAttributeValue(provider.config.LastNameAttribute),
+		Email:     sr.Entries[0].GetAttributeValue(provider.config.EmailAttribute),
+		Phone:     sr.Entries[0].GetAttributeValue(provider.config.PhoneAttribute),
+		IsAdmin:   false,
+	}
+
+	for _, group := range sr.Entries[0].GetAttributeValues(provider.config.GroupMemberAttribute) {
+		if group == provider.config.AdminLdapGroup {
+			user.IsAdmin = true
+			break
+		}
+	}
+
+	return user, nil
+}
+
+func (provider Provider) open() (*ldap.Conn, error) {
+	conn, err := ldap.DialURL(provider.config.URL)
+	if err != nil {
+		return nil, err
+	}
+
+	if provider.config.StartTLS {
+		// Reconnect with TLS
+		err = conn.StartTLS(&tls.Config{InsecureSkipVerify: true})
+		if err != nil {
+			return nil, err
+		}
+	}
+
+	err = conn.Bind(provider.config.BindUser, provider.config.BindPass)
+	if err != nil {
+		return nil, err
+	}
+
+	return conn, nil
+}
+
+func (provider Provider) close(conn *ldap.Conn) {
+	if conn != nil {
+		conn.Close()
+	}
+}
diff --git a/internal/authentication/providers/password/provider.go b/internal/authentication/providers/password/provider.go
new file mode 100644
index 0000000..4a6d95d
--- /dev/null
+++ b/internal/authentication/providers/password/provider.go
@@ -0,0 +1,186 @@
+package password
+
+import (
+	"fmt"
+	"math/rand"
+	"strings"
+	"time"
+
+	"github.com/gin-gonic/gin"
+	"github.com/h44z/wg-portal/internal/authentication"
+	"github.com/h44z/wg-portal/internal/users"
+	"github.com/pkg/errors"
+	"golang.org/x/crypto/bcrypt"
+	"gorm.io/gorm"
+)
+
+// Provider provide login with password method
+type Provider struct {
+	db *gorm.DB
+}
+
+func New(cfg *users.Config) (*Provider, error) {
+	p := &Provider{}
+
+	var err error
+	p.db, err = users.GetDatabaseForConfig(cfg)
+	if err != nil {
+		return nil, errors.Wrapf(err, "failed to setup authentication database %s", cfg.Database)
+	}
+
+	return p, nil
+}
+
+// GetName return provider name
+func (Provider) GetName() string {
+	return string(users.UserSourceDatabase)
+}
+
+// GetType return provider type
+func (Provider) GetType() authentication.AuthProviderType {
+	return authentication.AuthProviderTypePassword
+}
+
+// GetPriority return provider priority
+func (Provider) GetPriority() int {
+	return 0 // DB password provider = highest prio
+}
+
+func (provider Provider) SetupRoutes(routes *gin.RouterGroup) {
+	// nothing todo here
+}
+
+func (provider Provider) Login(ctx *authentication.AuthContext) (string, error) {
+	username := strings.ToLower(ctx.Username)
+	password := ctx.Password
+
+	// Validate input
+	if strings.Trim(username, " ") == "" || strings.Trim(password, " ") == "" {
+		return "", errors.New("empty username or password")
+	}
+
+	// Authenticate agains the users database
+	user := users.User{}
+	provider.db.Where("email = ?", username).First(&user)
+
+	if user.Email == "" {
+		return "", errors.New("invalid username")
+	}
+
+	// Compare the stored hashed password, with the hashed version of the password that was received
+	if err := bcrypt.CompareHashAndPassword([]byte(user.Password), []byte(password)); err != nil {
+		return "", errors.New("invalid password")
+	}
+
+	return user.Email, nil
+}
+
+func (provider Provider) Logout(context *authentication.AuthContext) error {
+	return nil // nothing todo here
+}
+
+func (provider Provider) GetUserModel(ctx *authentication.AuthContext) (*authentication.User, error) {
+	username := strings.ToLower(ctx.Username)
+
+	// Validate input
+	if strings.Trim(username, " ") == "" {
+		return nil, errors.New("empty username")
+	}
+
+	// Fetch usermodel from users database
+	user := users.User{}
+	provider.db.Where("email = ?", username).First(&user)
+	if user.Email != username {
+		return nil, errors.New("invalid or disabled username")
+	}
+
+	return &authentication.User{
+		Email:     user.Email,
+		IsAdmin:   user.IsAdmin,
+		Firstname: user.Firstname,
+		Lastname:  user.Lastname,
+		Phone:     user.Phone,
+	}, nil
+}
+
+func (provider Provider) InitializeAdmin(email, password string) error {
+	admin := users.User{}
+	provider.db.Unscoped().Where("email = ?", email).FirstOrInit(&admin)
+
+	// newly created admin
+	if admin.Email != email {
+		// For security reasons a random admin password will be generated if the default one is still in use!
+		if password == "wgportal" {
+			password = generateRandomPassword()
+
+			fmt.Println("#############################################")
+			fmt.Println("Administrator credentials:")
+			fmt.Println("  Email:    ", email)
+			fmt.Println("  Password: ", password)
+			fmt.Println()
+			fmt.Println("This information will only be displayed once!")
+			fmt.Println("#############################################")
+		}
+		hashedPassword, err := bcrypt.GenerateFromPassword([]byte(password), bcrypt.DefaultCost)
+		if err != nil {
+			return errors.Wrap(err, "failed to hash admin password")
+		}
+
+		admin.Email = email
+		admin.Password = string(hashedPassword)
+		admin.Firstname = "WireGuard"
+		admin.Lastname = "Administrator"
+		admin.CreatedAt = time.Now()
+		admin.UpdatedAt = time.Now()
+		admin.IsAdmin = true
+		admin.Source = users.UserSourceDatabase
+
+		res := provider.db.Create(admin)
+		if res.Error != nil {
+			return errors.Wrapf(res.Error, "failed to create admin %s", admin.Email)
+		}
+	}
+
+	// update/reactivate
+	if !admin.IsAdmin || admin.DeletedAt.Valid {
+		// For security reasons a random admin password will be generated if the default one is still in use!
+		if password == "wgportal" {
+			password = generateRandomPassword()
+
+			fmt.Println("#############################################")
+			fmt.Println("Administrator credentials:")
+			fmt.Println("  Email:    ", email)
+			fmt.Println("  Password: ", password)
+			fmt.Println()
+			fmt.Println("This information will only be displayed once!")
+			fmt.Println("#############################################")
+		}
+
+		hashedPassword, err := bcrypt.GenerateFromPassword([]byte(password), bcrypt.DefaultCost)
+		if err != nil {
+			return errors.Wrap(err, "failed to hash admin password")
+		}
+
+		admin.Password = string(hashedPassword)
+		admin.IsAdmin = true
+		admin.UpdatedAt = time.Now()
+
+		res := provider.db.Save(admin)
+		if res.Error != nil {
+			return errors.Wrapf(res.Error, "failed to update admin %s", admin.Email)
+		}
+	}
+
+	return nil
+}
+
+func generateRandomPassword() string {
+	rand.Seed(time.Now().Unix())
+	var randPassword strings.Builder
+	charSet := "abcdedfghijklmnopqrstABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!#$"
+	for i := 0; i < 12; i++ {
+		random := rand.Intn(len(charSet))
+		randPassword.WriteString(string(charSet[random]))
+	}
+	return randPassword.String()
+}
diff --git a/internal/authentication/user.go b/internal/authentication/user.go
new file mode 100644
index 0000000..e4b0af4
--- /dev/null
+++ b/internal/authentication/user.go
@@ -0,0 +1,11 @@
+package authentication
+
+type User struct {
+	Email   string
+	IsAdmin bool
+
+	// optional fields
+	Firstname string
+	Lastname  string
+	Phone     string
+}
diff --git a/internal/common/configuration.go b/internal/common/configuration.go
index dfccd26..8e8a1cf 100644
--- a/internal/common/configuration.go
+++ b/internal/common/configuration.go
@@ -7,6 +7,7 @@ import (
 	"runtime"
 
 	"github.com/h44z/wg-portal/internal/ldap"
+	"github.com/h44z/wg-portal/internal/users"
 	"github.com/h44z/wg-portal/internal/wireguard"
 	"github.com/kelseyhightower/envconfig"
 	"github.com/sirupsen/logrus"
@@ -54,22 +55,21 @@ func loadConfigEnv(cfg interface{}) error {
 
 type Config struct {
 	Core struct {
-		ListeningAddress       string `yaml:"listeningAddress" envconfig:"LISTENING_ADDRESS"`
-		ExternalUrl            string `yaml:"externalUrl" envconfig:"EXTERNAL_URL"`
-		Title                  string `yaml:"title" envconfig:"WEBSITE_TITLE"`
-		CompanyName            string `yaml:"company" envconfig:"COMPANY_NAME"`
-		MailFrom               string `yaml:"mailfrom" envconfig:"MAIL_FROM"`
-		AdminUser              string `yaml:"adminUser" envconfig:"ADMIN_USER"` // optional, non LDAP admin user
-		AdminPassword          string `yaml:"adminPass" envconfig:"ADMIN_PASS"`
-		DatabasePath           string `yaml:"database" envconfig:"DATABASE_PATH"`
-		EditableKeys           bool   `yaml:"editableKeys" envconfig:"EDITABLE_KEYS"`
-		CreateInterfaceOnLogin bool   `yaml:"createOnLogin" envconfig:"CREATE_INTERFACE_ON_LOGIN"`
-		SyncLdapStatus         bool   `yaml:"syncLdapStatus" envconfig:"SYNC_LDAP_STATUS"` // disable account if disabled in ldap
+		ListeningAddress  string `yaml:"listeningAddress" envconfig:"LISTENING_ADDRESS"`
+		ExternalUrl       string `yaml:"externalUrl" envconfig:"EXTERNAL_URL"`
+		Title             string `yaml:"title" envconfig:"WEBSITE_TITLE"`
+		CompanyName       string `yaml:"company" envconfig:"COMPANY_NAME"`
+		MailFrom          string `yaml:"mailFrom" envconfig:"MAIL_FROM"`
+		AdminUser         string `yaml:"adminUser" envconfig:"ADMIN_USER"`
+		AdminPassword     string `yaml:"adminPass" envconfig:"ADMIN_PASS"`
+		EditableKeys      bool   `yaml:"editableKeys" envconfig:"EDITABLE_KEYS"`
+		CreateDefaultPeer bool   `yaml:"createDefaultPeer" envconfig:"CREATE_DEFAULT_PEER"`
+		LdapEnabled       bool   `yaml:"ldapEnabled" envconfig:"LDAP_ENABLED"`
 	} `yaml:"core"`
-	Email          MailConfig       `yaml:"email"`
-	LDAP           ldap.Config      `yaml:"ldap"`
-	WG             wireguard.Config `yaml:"wg"`
-	AdminLdapGroup string           `yaml:"adminLdapGroup" envconfig:"ADMIN_LDAP_GROUP"`
+	Database users.Config     `yaml:"database"`
+	Email    MailConfig       `yaml:"email"`
+	LDAP     ldap.Config      `yaml:"ldap"`
+	WG       wireguard.Config `yaml:"wg"`
 }
 
 func NewConfig() *Config {
@@ -81,18 +81,31 @@ func NewConfig() *Config {
 	cfg.Core.CompanyName = "WireGuard Portal"
 	cfg.Core.ExternalUrl = "http://localhost:8123"
 	cfg.Core.MailFrom = "WireGuard VPN <noreply@company.com>"
-	cfg.Core.AdminUser = "" // non-ldap admin access is disabled by default
-	cfg.Core.AdminPassword = ""
-	cfg.Core.DatabasePath = "data/wg_portal.db"
+	cfg.Core.AdminUser = "admin@wgportal.local"
+	cfg.Core.AdminPassword = "wgportal"
+	cfg.Core.LdapEnabled = false
+
+	cfg.Database.Typ = "sqlite"
+	cfg.Database.Database = "data/wg_portal.db"
+
 	cfg.LDAP.URL = "ldap://srv-ad01.company.local:389"
 	cfg.LDAP.BaseDN = "DC=COMPANY,DC=LOCAL"
 	cfg.LDAP.StartTLS = true
 	cfg.LDAP.BindUser = "company\\\\ldap_wireguard"
 	cfg.LDAP.BindPass = "SuperSecret"
+	cfg.LDAP.Type = "AD"
+	cfg.LDAP.UserClass = "organizationalPerson"
+	cfg.LDAP.EmailAttribute = "mail"
+	cfg.LDAP.FirstNameAttribute = "givenName"
+	cfg.LDAP.LastNameAttribute = "sn"
+	cfg.LDAP.PhoneAttribute = "telephoneNumber"
+	cfg.LDAP.GroupMemberAttribute = "memberOf"
+	cfg.LDAP.DisabledAttribute = "userAccountControl"
+	cfg.LDAP.AdminLdapGroup = "CN=WireGuardAdmins,OU=_O_IT,DC=COMPANY,DC=LOCAL"
+
 	cfg.WG.DeviceName = "wg0"
 	cfg.WG.WireGuardConfig = "/etc/wireguard/wg0.conf"
 	cfg.WG.ManageIPAddresses = true
-	cfg.AdminLdapGroup = "CN=WireGuardAdmins,OU=_O_IT,DC=COMPANY,DC=LOCAL"
 	cfg.Email.Host = "127.0.0.1"
 	cfg.Email.Port = 25
 
diff --git a/internal/ldap/authentication.go b/internal/ldap/authentication.go
deleted file mode 100644
index d2952ed..0000000
--- a/internal/ldap/authentication.go
+++ /dev/null
@@ -1,94 +0,0 @@
-package ldap
-
-import (
-	"crypto/tls"
-	"fmt"
-
-	"github.com/go-ldap/ldap/v3"
-)
-
-type Authentication struct {
-	Cfg *Config
-}
-
-func NewAuthentication(config Config) Authentication {
-	a := Authentication{
-		Cfg: &config,
-	}
-
-	return a
-}
-
-func (a Authentication) open() (*ldap.Conn, error) {
-	conn, err := ldap.DialURL(a.Cfg.URL)
-	if err != nil {
-		return nil, err
-	}
-
-	if a.Cfg.StartTLS {
-		// Reconnect with TLS
-		err = conn.StartTLS(&tls.Config{InsecureSkipVerify: true})
-		if err != nil {
-			return nil, err
-		}
-	}
-
-	err = conn.Bind(a.Cfg.BindUser, a.Cfg.BindPass)
-	if err != nil {
-		return nil, err
-	}
-
-	return conn, nil
-}
-
-func (a Authentication) close(conn *ldap.Conn) {
-	if conn != nil {
-		conn.Close()
-	}
-}
-
-func (a Authentication) CheckLogin(username, password string) bool {
-	return a.CheckCustomLogin("sAMAccountName", username, password)
-}
-
-func (a Authentication) CheckCustomLogin(userIdentifier, username, password string) bool {
-	client, err := a.open()
-	if err != nil {
-		return false
-	}
-	defer a.close(client)
-
-	// Search for the given username
-	searchRequest := ldap.NewSearchRequest(
-		a.Cfg.BaseDN,
-		ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false,
-		fmt.Sprintf("(&(objectClass=organizationalPerson)(%s=%s))", userIdentifier, username),
-		[]string{"dn", "userAccountControl"},
-		nil,
-	)
-
-	sr, err := client.Search(searchRequest)
-	if err != nil {
-		return false
-	}
-
-	if len(sr.Entries) != 1 {
-		return false
-	}
-
-	userDN := sr.Entries[0].DN
-
-	// Check if user is disabled, if so deny login
-	uac := sr.Entries[0].GetAttributeValue("userAccountControl")
-	if uac != "" && IsLdapUserDisabled(uac) {
-		return false
-	}
-
-	// Bind as the user to verify their password
-	err = client.Bind(userDN, password)
-	if err != nil {
-		return false
-	}
-
-	return true
-}
diff --git a/internal/ldap/config.go b/internal/ldap/config.go
new file mode 100644
index 0000000..bb31b20
--- /dev/null
+++ b/internal/ldap/config.go
@@ -0,0 +1,27 @@
+package ldap
+
+type Type string
+
+const (
+	TypeActiveDirectory Type = "AD"
+	TypeOpenLDAP        Type = "OpenLDAP"
+)
+
+type Config struct {
+	URL      string `yaml:"url" envconfig:"LDAP_URL"`
+	StartTLS bool   `yaml:"startTLS" envconfig:"LDAP_STARTTLS"`
+	BaseDN   string `yaml:"dn" envconfig:"LDAP_BASEDN"`
+	BindUser string `yaml:"user" envconfig:"LDAP_USER"`
+	BindPass string `yaml:"pass" envconfig:"LDAP_PASSWORD"`
+
+	Type                 Type   `yaml:"typ" envconfig:"LDAP_TYPE"` // AD for active directory, OpenLDAP for OpenLDAP
+	UserClass            string `yaml:"userClass" envconfig:"LDAP_USER_CLASS"`
+	EmailAttribute       string `yaml:"attrEmail" envconfig:"LDAP_ATTR_EMAIL"`
+	FirstNameAttribute   string `yaml:"attrFirstname" envconfig:"LDAP_ATTR_FIRSTNAME"`
+	LastNameAttribute    string `yaml:"attrLastname" envconfig:"LDAP_ATTR_LASTNAME"`
+	PhoneAttribute       string `yaml:"attrPhone" envconfig:"LDAP_ATTR_PHONE"`
+	GroupMemberAttribute string `yaml:"attrGroups" envconfig:"LDAP_ATTR_GROUPS"`
+	DisabledAttribute    string `yaml:"attrDisabled" envconfig:"LDAP_ATTR_DISABLED"`
+
+	AdminLdapGroup string `yaml:"adminGroup" envconfig:"LDAP_ADMIN_GROUP"`
+}
diff --git a/internal/ldap/ldap.go b/internal/ldap/ldap.go
index a8d3f3d..f6f038c 100644
--- a/internal/ldap/ldap.go
+++ b/internal/ldap/ldap.go
@@ -1,9 +1,112 @@
 package ldap
 
-type Config struct {
-	URL      string `yaml:"url" envconfig:"LDAP_URL"`
-	StartTLS bool   `yaml:"startTLS" envconfig:"LDAP_STARTTLS"`
-	BaseDN   string `yaml:"dn" envconfig:"LDAP_BASEDN"`
-	BindUser string `yaml:"user" envconfig:"LDAP_USER"`
-	BindPass string `yaml:"pass" envconfig:"LDAP_PASSWORD"`
+import (
+	"crypto/tls"
+	"fmt"
+	"strconv"
+
+	"github.com/go-ldap/ldap/v3"
+	"github.com/pkg/errors"
+)
+
+type RawLdapData struct {
+	DN            string
+	Attributes    map[string]string
+	RawAttributes map[string][][]byte
+}
+
+func Open(cfg *Config) (*ldap.Conn, error) {
+	conn, err := ldap.DialURL(cfg.URL)
+	if err != nil {
+		return nil, err
+	}
+
+	if cfg.StartTLS {
+		// Reconnect with TLS
+		err = conn.StartTLS(&tls.Config{InsecureSkipVerify: true})
+		if err != nil {
+			return nil, err
+		}
+	}
+
+	err = conn.Bind(cfg.BindUser, cfg.BindPass)
+	if err != nil {
+		return nil, err
+	}
+
+	return conn, nil
+}
+
+func Close(conn *ldap.Conn) {
+	if conn != nil {
+		conn.Close()
+	}
+}
+
+func FindAllUsers(cfg *Config) ([]RawLdapData, error) {
+	client, err := Open(cfg)
+	if err != nil {
+		return nil, errors.WithMessage(err, "failed to open ldap connection")
+	}
+	defer Close(client)
+
+	// Search all users
+	attrs := []string{"dn", cfg.EmailAttribute, cfg.EmailAttribute, cfg.FirstNameAttribute, cfg.LastNameAttribute,
+		cfg.PhoneAttribute, cfg.GroupMemberAttribute}
+	if cfg.DisabledAttribute != "" {
+		attrs = append(attrs, cfg.DisabledAttribute)
+	}
+	searchRequest := ldap.NewSearchRequest(
+		cfg.BaseDN,
+		ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false,
+		fmt.Sprintf("(objectClass=%s)", cfg.UserClass), attrs, nil,
+	)
+
+	sr, err := client.Search(searchRequest)
+	if err != nil {
+		return nil, errors.Wrapf(err, "failed to search in ldap")
+	}
+
+	tmpData := make([]RawLdapData, 0, len(sr.Entries))
+
+	for _, entry := range sr.Entries {
+		tmp := RawLdapData{
+			DN:            entry.DN,
+			Attributes:    make(map[string]string, len(attrs)),
+			RawAttributes: make(map[string][][]byte, len(attrs)),
+		}
+
+		for _, field := range attrs {
+			tmp.Attributes[field] = entry.GetAttributeValue(field)
+			tmp.RawAttributes[field] = entry.GetRawAttributeValues(field)
+		}
+
+		tmpData = append(tmpData, tmp)
+	}
+
+	return tmpData, nil
+}
+
+func IsActiveDirectoryUserDisabled(userAccountControl string) bool {
+	if userAccountControl == "" {
+		return false
+	}
+
+	uacInt, err := strconv.Atoi(userAccountControl)
+	if err != nil {
+		return true
+	}
+	if int32(uacInt)&0x2 != 0 {
+		return true // bit 2 set means account is disabled
+	}
+
+	return false
+}
+
+func IsOpenLdapUserDisabled(pwdAccountLockedTime string) bool {
+	if pwdAccountLockedTime != "" {
+		return true
+	}
+
+	return false
 }
diff --git a/internal/ldap/usercache.go b/internal/ldap/usercache.go
deleted file mode 100644
index e41be8e..0000000
--- a/internal/ldap/usercache.go
+++ /dev/null
@@ -1,338 +0,0 @@
-package ldap
-
-import (
-	"crypto/md5"
-	"crypto/tls"
-	"fmt"
-	"sort"
-	"strconv"
-	"strings"
-	"sync"
-	"time"
-
-	"github.com/go-ldap/ldap/v3"
-	"github.com/sirupsen/logrus"
-)
-
-var Fields = []string{"givenName", "sn", "mail", "department", "memberOf", "sAMAccountName", "telephoneNumber",
-	"mobile", "displayName", "cn", "title", "company", "manager", "streetAddress", "employeeID", "memberOf", "l",
-	"st", "postalCode", "co", "facsimileTelephoneNumber", "pager", "thumbnailPhoto", "otherMobile",
-	"extensionAttribute2", "distinguishedName", "userAccountControl"}
-
-// --------------------------------------------------------------------------------------------------------------------
-// Cache Data Store
-// --------------------------------------------------------------------------------------------------------------------
-
-type UserCacheHolder interface {
-	Clear()
-	SetAllUsers(users []RawLdapData)
-	GetUser(dn string) *RawLdapData
-	GetUsers() []*RawLdapData
-}
-
-type RawLdapData struct {
-	DN            string
-	Attributes    map[string]string
-	RawAttributes map[string][][]byte
-}
-
-// --------------------------------------------------------------------------------------------------------------------
-// Sample Cache Data store
-// --------------------------------------------------------------------------------------------------------------------
-
-type UserCacheHolderEntry struct {
-	RawLdapData
-	Username  string
-	Mail      string
-	Firstname string
-	Lastname  string
-	Groups    []string
-}
-
-func (e *UserCacheHolderEntry) CalcFieldsFromAttributes() {
-	e.Username = strings.ToLower(e.Attributes["sAMAccountName"])
-	e.Mail = e.Attributes["mail"]
-	e.Firstname = e.Attributes["givenName"]
-	e.Lastname = e.Attributes["sn"]
-	e.Groups = make([]string, len(e.RawAttributes["memberOf"]))
-	for i, group := range e.RawAttributes["memberOf"] {
-		e.Groups[i] = string(group)
-	}
-}
-
-func (e *UserCacheHolderEntry) GetUID() string {
-	return fmt.Sprintf("u%x", md5.Sum([]byte(e.Attributes["distinguishedName"])))
-}
-
-type SynchronizedUserCacheHolder struct {
-	users map[string]*UserCacheHolderEntry
-	mux   sync.RWMutex
-}
-
-func (h *SynchronizedUserCacheHolder) Init() {
-	h.users = make(map[string]*UserCacheHolderEntry)
-}
-
-func (h *SynchronizedUserCacheHolder) Clear() {
-	h.mux.Lock()
-	defer h.mux.Unlock()
-
-	h.users = make(map[string]*UserCacheHolderEntry)
-}
-
-func (h *SynchronizedUserCacheHolder) SetAllUsers(users []RawLdapData) {
-	h.mux.Lock()
-	defer h.mux.Unlock()
-
-	h.users = make(map[string]*UserCacheHolderEntry)
-
-	for i := range users {
-		h.users[users[i].DN] = &UserCacheHolderEntry{RawLdapData: users[i]}
-		h.users[users[i].DN].CalcFieldsFromAttributes()
-	}
-}
-
-func (h *SynchronizedUserCacheHolder) GetUser(dn string) *RawLdapData {
-	h.mux.RLock()
-	defer h.mux.RUnlock()
-
-	return &h.users[dn].RawLdapData
-}
-
-func (h *SynchronizedUserCacheHolder) GetUserData(dn string) *UserCacheHolderEntry {
-	h.mux.RLock()
-	defer h.mux.RUnlock()
-
-	return h.users[dn]
-}
-
-func (h *SynchronizedUserCacheHolder) GetUsers() []*RawLdapData {
-	h.mux.RLock()
-	defer h.mux.RUnlock()
-
-	users := make([]*RawLdapData, 0, len(h.users))
-	for _, user := range h.users {
-		users = append(users, &user.RawLdapData)
-	}
-
-	return users
-}
-
-func (h *SynchronizedUserCacheHolder) GetSortedUsers(sortKey string, sortDirection string) []*UserCacheHolderEntry {
-	h.mux.RLock()
-	defer h.mux.RUnlock()
-
-	sortedUsers := make([]*UserCacheHolderEntry, 0, len(h.users))
-
-	for _, user := range h.users {
-		sortedUsers = append(sortedUsers, user)
-	}
-
-	sort.Slice(sortedUsers, func(i, j int) bool {
-		if sortDirection == "asc" {
-			return sortedUsers[i].Attributes[sortKey] < sortedUsers[j].Attributes[sortKey]
-		} else {
-			return sortedUsers[i].Attributes[sortKey] > sortedUsers[j].Attributes[sortKey]
-		}
-
-	})
-
-	return sortedUsers
-
-}
-
-func (h *SynchronizedUserCacheHolder) IsInGroup(username, gid string) bool {
-	userDN := h.GetUserDN(username)
-	if userDN == "" {
-		return false // user not found -> not in group
-	}
-
-	user := h.GetUserData(userDN)
-	if user == nil {
-		return false
-	}
-
-	for _, group := range user.Groups {
-		if group == gid {
-			return true
-		}
-	}
-
-	return false
-}
-
-func (h *SynchronizedUserCacheHolder) UserExists(username string) bool {
-	userDN := h.GetUserDN(username)
-	if userDN == "" {
-		return false // user not found
-	}
-
-	return true
-}
-
-func (h *SynchronizedUserCacheHolder) GetUserDN(username string) string {
-	userDN := ""
-	for dn, user := range h.users {
-		accName := strings.ToLower(user.Attributes["sAMAccountName"])
-		if accName == username {
-			userDN = dn
-			break
-		}
-	}
-
-	return userDN
-}
-
-func (h *SynchronizedUserCacheHolder) GetUserDNByMail(mail string) string {
-	userDN := ""
-	for dn, user := range h.users {
-		accMail := strings.ToLower(user.Attributes["mail"])
-		if accMail == mail {
-			userDN = dn
-			break
-		}
-	}
-
-	return userDN
-}
-
-// --------------------------------------------------------------------------------------------------------------------
-// Cache Handler, LDAP interaction
-// --------------------------------------------------------------------------------------------------------------------
-
-type UserCache struct {
-	Cfg       *Config
-	LastError error
-	UpdatedAt time.Time
-	userData  UserCacheHolder
-}
-
-func NewUserCache(config Config, store UserCacheHolder) *UserCache {
-	uc := &UserCache{
-		Cfg:       &config,
-		UpdatedAt: time.Now(),
-		userData:  store,
-	}
-
-	logrus.Infof("Filling user cache...")
-	err := uc.Update(true, true)
-	logrus.Infof("User cache filled!")
-	uc.LastError = err
-
-	return uc
-}
-
-func (u UserCache) open() (*ldap.Conn, error) {
-	conn, err := ldap.DialURL(u.Cfg.URL)
-	if err != nil {
-		return nil, err
-	}
-
-	if u.Cfg.StartTLS {
-		// Reconnect with TLS
-		err = conn.StartTLS(&tls.Config{InsecureSkipVerify: true})
-		if err != nil {
-			return nil, err
-		}
-	}
-
-	err = conn.Bind(u.Cfg.BindUser, u.Cfg.BindPass)
-	if err != nil {
-		return nil, err
-	}
-
-	return conn, nil
-}
-
-func (u UserCache) close(conn *ldap.Conn) {
-	if conn != nil {
-		conn.Close()
-	}
-}
-
-// Update updates the user cache in background, minimal locking will happen
-func (u *UserCache) Update(filter, withDisabledUsers bool) error {
-	logrus.Debugf("Updating ldap cache...")
-	client, err := u.open()
-	if err != nil {
-		u.LastError = err
-		return err
-	}
-	defer u.close(client)
-
-	// Search for the given username
-	searchRequest := ldap.NewSearchRequest(
-		u.Cfg.BaseDN,
-		ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false,
-		"(objectClass=organizationalPerson)",
-		Fields,
-		nil,
-	)
-
-	sr, err := client.Search(searchRequest)
-	if err != nil {
-		u.LastError = err
-		return err
-	}
-
-	tmpData := make([]RawLdapData, 0, len(sr.Entries))
-
-	for _, entry := range sr.Entries {
-		if filter {
-			usernameAttr := strings.ToLower(entry.GetAttributeValue("sAMAccountName"))
-			firstNameAttr := entry.GetAttributeValue("givenName")
-			lastNameAttr := entry.GetAttributeValue("sn")
-			mailAttr := entry.GetAttributeValue("mail")
-			userAccountControl := entry.GetAttributeValue("userAccountControl")
-			employeeID := entry.GetAttributeValue("employeeID")
-			dn := entry.GetAttributeValue("distinguishedName")
-
-			if usernameAttr == "" || firstNameAttr == "" || lastNameAttr == "" || mailAttr == "" || employeeID == "" {
-				continue // prefilter...
-			}
-
-			if !withDisabledUsers && userAccountControl != "" && IsLdapUserDisabled(userAccountControl) {
-				continue
-			}
-
-			if entry.DN != dn {
-				logrus.Errorf("LDAP inconsistent: '%s' != '%s'", entry.DN, dn)
-				continue
-			}
-		}
-
-		tmp := RawLdapData{
-			DN:            entry.DN,
-			Attributes:    make(map[string]string, len(Fields)),
-			RawAttributes: make(map[string][][]byte, len(Fields)),
-		}
-
-		for _, field := range Fields {
-			tmp.Attributes[field] = entry.GetAttributeValue(field)
-			tmp.RawAttributes[field] = entry.GetRawAttributeValues(field)
-		}
-
-		tmpData = append(tmpData, tmp)
-	}
-
-	// Copy to userdata
-	u.userData.SetAllUsers(tmpData)
-	u.UpdatedAt = time.Now()
-	u.LastError = nil
-
-	logrus.Debug("Ldap cache updated...")
-
-	return nil
-}
-
-func IsLdapUserDisabled(userAccountControl string) bool {
-	uacInt, err := strconv.Atoi(userAccountControl)
-	if err != nil {
-		return true
-	}
-	if int32(uacInt)&0x2 != 0 {
-		return true // bit 2 set means account is disabled
-	}
-
-	return false
-}
diff --git a/internal/server/auth.go b/internal/server/auth.go
new file mode 100644
index 0000000..d5e3ed8
--- /dev/null
+++ b/internal/server/auth.go
@@ -0,0 +1,83 @@
+package server
+
+import (
+	"sort"
+
+	"github.com/h44z/wg-portal/internal/authentication"
+
+	"github.com/gin-gonic/gin"
+	"github.com/h44z/wg-portal/internal/users"
+	"github.com/sirupsen/logrus"
+)
+
+// Auth auth struct
+type AuthManager struct {
+	Server      *Server
+	Group       *gin.RouterGroup // basic group for all providers (/auth)
+	providers   []authentication.AuthProvider
+	UserManager *users.Manager
+}
+
+// RegisterProvider register auth provider
+func (auth *AuthManager) RegisterProvider(provider authentication.AuthProvider) {
+	name := provider.GetName()
+	if auth.GetProvider(name) != nil {
+		logrus.Warnf("auth provider %v already registered", name)
+	}
+
+	provider.SetupRoutes(auth.Group)
+	auth.providers = append(auth.providers, provider)
+}
+
+// RegisterProviderWithoutError register auth provider if err is nil
+func (auth *AuthManager) RegisterProviderWithoutError(provider authentication.AuthProvider, err error) {
+	if err != nil {
+		logrus.Errorf("skipping provider registration: %v", err)
+		return
+	}
+	auth.RegisterProvider(provider)
+}
+
+// GetProvider get provider with name
+func (auth *AuthManager) GetProvider(name string) authentication.AuthProvider {
+	for _, provider := range auth.providers {
+		if provider.GetName() == name {
+			return provider
+		}
+	}
+	return nil
+}
+
+// GetProviders return registered providers
+func (auth *AuthManager) GetProviders() (providers []authentication.AuthProvider) {
+	for _, provider := range auth.providers {
+		providers = append(providers, provider)
+	}
+	return
+}
+
+// GetProviders return registered providers
+func (auth *AuthManager) GetProvidersForType(typ authentication.AuthProviderType) (providers []authentication.AuthProvider) {
+	for _, provider := range auth.providers {
+		if provider.GetType() == typ {
+			providers = append(providers, provider)
+		}
+	}
+
+	// order by priority
+	sort.SliceStable(providers, func(i, j int) bool {
+		return providers[i].GetPriority() < providers[j].GetPriority()
+	})
+
+	return
+}
+
+func NewAuthManager(server *Server) *AuthManager {
+	m := &AuthManager{
+		Server: server,
+	}
+
+	m.Group = m.Server.server.Group("/auth")
+
+	return m
+}
diff --git a/internal/server/core.go b/internal/server/core.go
index 3e743c9..c095efc 100644
--- a/internal/server/core.go
+++ b/internal/server/core.go
@@ -3,10 +3,11 @@ package server
 import (
 	"context"
 	"encoding/gob"
-	"errors"
 	"html/template"
+	"io/fs"
 	"io/ioutil"
 	"math/rand"
+	"net/http"
 	"net/url"
 	"os"
 	"path/filepath"
@@ -15,15 +16,18 @@ import (
 	"github.com/gin-contrib/sessions"
 	"github.com/gin-contrib/sessions/memstore"
 	"github.com/gin-gonic/gin"
+	wg_portal "github.com/h44z/wg-portal"
+	ldapprovider "github.com/h44z/wg-portal/internal/authentication/providers/ldap"
+	passwordprovider "github.com/h44z/wg-portal/internal/authentication/providers/password"
 	"github.com/h44z/wg-portal/internal/common"
-	"github.com/h44z/wg-portal/internal/ldap"
+	"github.com/h44z/wg-portal/internal/users"
 	"github.com/h44z/wg-portal/internal/wireguard"
+	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
 	ginlogrus "github.com/toorop/gin-logrus"
 )
 
 const SessionIdentifier = "wgPortalSession"
-const CacheRefreshDuration = 5 * time.Minute
 
 func init() {
 	gob.Register(SessionData{})
@@ -31,22 +35,23 @@ func init() {
 	gob.Register(Peer{})
 	gob.Register(Device{})
 	gob.Register(LdapCreateForm{})
+	gob.Register(users.User{})
 }
 
 type SessionData struct {
-	LoggedIn      bool
-	IsAdmin       bool
-	UID           string
-	UserName      string
-	Firstname     string
-	Lastname      string
-	Email         string
-	SortedBy      string
-	SortDirection string
-	Search        string
-	AlertData     string
-	AlertType     string
-	FormData      interface{}
+	LoggedIn  bool
+	IsAdmin   bool
+	Firstname string
+	Lastname  string
+	Email     string
+
+	SortedBy      map[string]string
+	SortDirection map[string]string
+	Search        map[string]string
+
+	AlertData string
+	AlertType string
+	FormData  interface{}
 }
 
 type FlashData struct {
@@ -60,28 +65,23 @@ type StaticData struct {
 	WebsiteLogo  string
 	CompanyName  string
 	Year         int
-	LdapDisabled bool
 }
 
 type Server struct {
-	// Core components
 	ctx     context.Context
 	config  *common.Config
 	server  *gin.Engine
-	users   *UserManager
 	mailTpl *template.Template
+	auth    *AuthManager
 
-	// WireGuard stuff
-	wg *wireguard.Manager
-
-	// LDAP stuff
-	ldapDisabled     bool
-	ldapAuth         ldap.Authentication
-	ldapUsers        *ldap.SynchronizedUserCacheHolder
-	ldapCacheUpdater *ldap.UserCache
+	users *users.Manager
+	wg    *wireguard.Manager
+	peers *PeerManager
 }
 
 func (s *Server) Setup(ctx context.Context) error {
+	var err error
+
 	dir := s.getExecutableDirectory()
 	rDir, _ := filepath.Abs(filepath.Dir(os.Args[0]))
 	logrus.Infof("Real working directory: %s", rDir)
@@ -91,44 +91,10 @@ func (s *Server) Setup(ctx context.Context) error {
 	rand.Seed(time.Now().UnixNano())
 
 	s.config = common.NewConfig()
-
-	// Setup LDAP stuff
-	s.ldapAuth = ldap.NewAuthentication(s.config.LDAP)
-	s.ldapUsers = &ldap.SynchronizedUserCacheHolder{}
-	s.ldapUsers.Init()
-	s.ldapCacheUpdater = ldap.NewUserCache(s.config.LDAP, s.ldapUsers)
-	if s.ldapCacheUpdater.LastError != nil {
-		logrus.Warnf("LDAP error: %v", s.ldapCacheUpdater.LastError)
-		logrus.Warnf("LDAP features disabled!")
-		s.ldapDisabled = true
-	}
-
-	// Setup WireGuard stuff
-	s.wg = &wireguard.Manager{Cfg: &s.config.WG}
-	if err := s.wg.Init(); err != nil {
-		return err
-	}
-
-	// Setup user manager
-	if s.users = NewUserManager(filepath.Join(dir, s.config.Core.DatabasePath), s.wg, s.ldapUsers); s.users == nil {
-		return errors.New("unable to setup user manager")
-	}
-	if err := s.users.InitFromCurrentInterface(); err != nil {
-		return errors.New("unable to initialize user manager")
-	}
-	if err := s.RestoreWireGuardInterface(); err != nil {
-		return errors.New("unable to restore WireGuard state")
-	}
-
-	// Setup mail template
-	var err error
-	s.mailTpl, err = template.New("email.html").ParseFiles(filepath.Join(dir, "/assets/tpl/email.html"))
-	if err != nil {
-		return errors.New("unable to pare mail template")
-	}
+	s.ctx = ctx
 
 	// Setup http server
-	gin.SetMode(gin.ReleaseMode)
+	gin.SetMode(gin.DebugMode)
 	gin.DefaultWriter = ioutil.Discard
 	s.server = gin.New()
 	s.server.Use(ginlogrus.Logger(logrus.StandardLogger()), gin.Recovery())
@@ -138,54 +104,98 @@ func (s *Server) Setup(ctx context.Context) error {
 	})
 
 	// Setup templates
-	logrus.Infof("Loading templates from: %s", filepath.Join(dir, "/assets/tpl/*.html"))
-	s.server.LoadHTMLGlob(filepath.Join(dir, "/assets/tpl/*.html"))
+	templates := template.Must(template.New("").Funcs(s.server.FuncMap).ParseFS(wg_portal.Templates, "assets/tpl/*.html"))
+	s.server.SetHTMLTemplate(templates)
 	s.server.Use(sessions.Sessions("authsession", memstore.NewStore([]byte("secret")))) // TODO: change key?
 
 	// Serve static files
-	s.server.Static("/css", filepath.Join(dir, "/assets/css"))
-	s.server.Static("/js", filepath.Join(dir, "/assets/js"))
-	s.server.Static("/img", filepath.Join(dir, "/assets/img"))
-	s.server.Static("/fonts", filepath.Join(dir, "/assets/fonts"))
+	s.server.StaticFS("/css", http.FS(fsMust(fs.Sub(wg_portal.Statics, "assets/css"))))
+	s.server.StaticFS("/js", http.FS(fsMust(fs.Sub(wg_portal.Statics, "assets/js"))))
+	s.server.StaticFS("/img", http.FS(fsMust(fs.Sub(wg_portal.Statics, "assets/img"))))
+	s.server.StaticFS("/fonts", http.FS(fsMust(fs.Sub(wg_portal.Statics, "assets/fonts"))))
 
 	// Setup all routes
 	SetupRoutes(s)
 
+	// Setup user database (also needed for database authentication)
+	s.users, err = users.NewManager(&s.config.Database)
+	if err != nil {
+		return errors.WithMessage(err, "user-manager initialization failed")
+	}
+
+	// Setup auth manager
+	s.auth = NewAuthManager(s)
+	pwProvider, err := passwordprovider.New(&s.config.Database)
+	if err != nil {
+		return errors.WithMessage(err, "password provider initialization failed")
+	}
+	if err = pwProvider.InitializeAdmin(s.config.Core.AdminUser, s.config.Core.AdminPassword); err != nil {
+		return errors.WithMessage(err, "admin initialization failed")
+	}
+	s.auth.RegisterProvider(pwProvider)
+
+	if s.config.Core.LdapEnabled {
+		ldapProvider, err := ldapprovider.New(&s.config.LDAP)
+		if err != nil {
+			s.config.Core.LdapEnabled = false
+			logrus.Warnf("failed to setup LDAP connection, LDAP features disabled")
+		}
+		s.auth.RegisterProviderWithoutError(ldapProvider, err)
+	}
+
+	// Setup WireGuard stuff
+	s.wg = &wireguard.Manager{Cfg: &s.config.WG}
+	if err = s.wg.Init(); err != nil {
+		return errors.WithMessage(err, "unable to initialize WireGuard manager")
+	}
+
+	// Setup peer manager
+	if s.peers, err = NewPeerManager(s.config, s.wg, s.users); err != nil {
+		return errors.WithMessage(err, "unable to setup peer manager")
+	}
+	if err = s.peers.InitFromCurrentInterface(); err != nil {
+		return errors.WithMessage(err, "unable to initialize peer manager")
+	}
+	if err = s.RestoreWireGuardInterface(); err != nil {
+		return errors.WithMessage(err, "unable to restore WireGuard state")
+	}
+
+	// Setup mail template
+	s.mailTpl, err = template.New("email.html").ParseFS(wg_portal.Templates, "assets/tpl/email.html")
+	if err != nil {
+		return errors.Wrap(err, "unable to pare mail template")
+	}
+
 	logrus.Infof("Setup of service completed!")
 	return nil
 }
 
 func (s *Server) Run() {
-	// Start ldap group watcher
-	if !s.ldapDisabled {
-		go func(s *Server) {
-			for {
-				time.Sleep(CacheRefreshDuration)
-				if err := s.ldapCacheUpdater.Update(true, true); err != nil {
-					logrus.Warnf("Failed to update ldap group cache: %v", err)
-				}
-				logrus.Debugf("Refreshed LDAP permissions!")
-			}
-		}(s)
-	}
-
-	if !s.ldapDisabled && s.config.Core.SyncLdapStatus {
-		go func(s *Server) {
-			for {
-				time.Sleep(CacheRefreshDuration)
-				if err := s.SyncLdapAttributesWithWireGuard(); err != nil {
-					logrus.Warnf("Failed to synchronize ldap attributes: %v", err)
-				}
-				logrus.Debugf("Synced LDAP attributes!")
-			}
-		}(s)
+	// Start ldap sync
+	if s.config.Core.LdapEnabled {
+		go s.SyncLdapWithUserDatabase()
 	}
 
 	// Run web service
-	err := s.server.Run(s.config.Core.ListeningAddress)
-	if err != nil {
-		logrus.Errorf("Failed to listen and serve on %s: %v", s.config.Core.ListeningAddress, err)
+	srv := &http.Server{
+		Addr:    s.config.Core.ListeningAddress,
+		Handler: s.server,
 	}
+
+	go func() {
+		if err := srv.ListenAndServe(); err != nil {
+			logrus.Debugf("web service on %s exited: %v", s.config.Core.ListeningAddress, err)
+		}
+	}()
+
+	<-s.ctx.Done()
+
+	logrus.Debug("web service shutting down...")
+
+	shutdownCtx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
+	defer cancel()
+	_ = srv.Shutdown(shutdownCtx)
+
 }
 
 func (s *Server) getExecutableDirectory() string {
@@ -201,7 +211,16 @@ func (s *Server) getExecutableDirectory() string {
 	return dir
 }
 
-func (s *Server) getSessionData(c *gin.Context) SessionData {
+func (s *Server) getStaticData() StaticData {
+	return StaticData{
+		WebsiteTitle: s.config.Core.Title,
+		WebsiteLogo:  "/img/header-logo.png",
+		CompanyName:  s.config.Core.CompanyName,
+		Year:         time.Now().Year(),
+	}
+}
+
+func GetSessionData(c *gin.Context) SessionData {
 	session := sessions.Default(c)
 	rawSessionData := session.Get(SessionIdentifier)
 
@@ -210,8 +229,9 @@ func (s *Server) getSessionData(c *gin.Context) SessionData {
 		sessionData = rawSessionData.(SessionData)
 	} else {
 		sessionData = SessionData{
-			SortedBy:      "mail",
-			SortDirection: "asc",
+			Search:        map[string]string{"peers": "", "userpeers": "", "users": ""},
+			SortedBy:      map[string]string{"peers": "mail", "userpeers": "mail", "users": "email"},
+			SortDirection: map[string]string{"peers": "asc", "userpeers": "asc", "users": "asc"},
 			Email:         "",
 			Firstname:     "",
 			Lastname:      "",
@@ -227,7 +247,7 @@ func (s *Server) getSessionData(c *gin.Context) SessionData {
 	return sessionData
 }
 
-func (s *Server) getFlashes(c *gin.Context) []FlashData {
+func GetFlashes(c *gin.Context) []FlashData {
 	session := sessions.Default(c)
 	flashes := session.Flashes()
 	if err := session.Save(); err != nil {
@@ -242,7 +262,7 @@ func (s *Server) getFlashes(c *gin.Context) []FlashData {
 	return flashData
 }
 
-func (s *Server) updateSessionData(c *gin.Context, data SessionData) error {
+func UpdateSessionData(c *gin.Context, data SessionData) error {
 	session := sessions.Default(c)
 	session.Set(SessionIdentifier, data)
 	if err := session.Save(); err != nil {
@@ -252,7 +272,7 @@ func (s *Server) updateSessionData(c *gin.Context, data SessionData) error {
 	return nil
 }
 
-func (s *Server) destroySessionData(c *gin.Context) error {
+func DestroySessionData(c *gin.Context) error {
 	session := sessions.Default(c)
 	session.Delete(SessionIdentifier)
 	if err := session.Save(); err != nil {
@@ -262,17 +282,7 @@ func (s *Server) destroySessionData(c *gin.Context) error {
 	return nil
 }
 
-func (s *Server) getStaticData() StaticData {
-	return StaticData{
-		WebsiteTitle: s.config.Core.Title,
-		WebsiteLogo:  "/img/header-logo.png",
-		CompanyName:  s.config.Core.CompanyName,
-		LdapDisabled: s.ldapDisabled,
-		Year:         time.Now().Year(),
-	}
-}
-
-func (s *Server) setFlashMessage(c *gin.Context, message, typ string) {
+func SetFlashMessage(c *gin.Context, message, typ string) {
 	session := sessions.Default(c)
 	session.AddFlash(FlashData{
 		Message: message,
@@ -283,13 +293,20 @@ func (s *Server) setFlashMessage(c *gin.Context, message, typ string) {
 	}
 }
 
-func (s SessionData) GetSortIcon(field string) string {
-	if s.SortedBy != field {
+func (s SessionData) GetSortIcon(table, field string) string {
+	if s.SortedBy[table] != field {
 		return "fa-sort"
 	}
-	if s.SortDirection == "asc" {
+	if s.SortDirection[table] == "asc" {
 		return "fa-sort-alpha-down"
 	} else {
 		return "fa-sort-alpha-up"
 	}
 }
+
+func fsMust(f fs.FS, err error) fs.FS {
+	if err != nil {
+		panic(err)
+	}
+	return f
+}
diff --git a/internal/server/handlers_auth.go b/internal/server/handlers_auth.go
index e10d143..e3c7f72 100644
--- a/internal/server/handlers_auth.go
+++ b/internal/server/handlers_auth.go
@@ -5,11 +5,14 @@ import (
 	"strings"
 
 	"github.com/gin-gonic/gin"
+	"github.com/h44z/wg-portal/internal/authentication"
+	"github.com/h44z/wg-portal/internal/users"
 	"github.com/sirupsen/logrus"
+	"gorm.io/gorm"
 )
 
 func (s *Server) GetLogin(c *gin.Context) {
-	currentSession := s.getSessionData(c)
+	currentSession := GetSessionData(c)
 	if currentSession.LoggedIn {
 		c.Redirect(http.StatusSeeOther, "/") // already logged in
 	}
@@ -33,7 +36,7 @@ func (s *Server) GetLogin(c *gin.Context) {
 }
 
 func (s *Server) PostLogin(c *gin.Context) {
-	currentSession := s.getSessionData(c)
+	currentSession := GetSessionData(c)
 	if currentSession.LoggedIn {
 		// already logged in
 		c.Redirect(http.StatusSeeOther, "/")
@@ -49,59 +52,84 @@ func (s *Server) PostLogin(c *gin.Context) {
 		return
 	}
 
-	adminAuthenticated := false
-	if s.config.Core.AdminUser != "" && username == s.config.Core.AdminUser && password == s.config.Core.AdminPassword {
-		adminAuthenticated = true
+	// Check user database for an matching entry
+	var loginProvider authentication.AuthProvider
+	email := ""
+	user := s.users.GetUser(username) // retrieve active candidate user from db
+	if user != nil {                  // existing user
+		loginProvider = s.auth.GetProvider(string(user.Source))
+		if loginProvider == nil {
+			s.GetHandleError(c, http.StatusInternalServerError, "login error", "login provider unavailable")
+			return
+		}
+		authEmail, err := loginProvider.Login(&authentication.AuthContext{
+			Username: username,
+			Password: password,
+		})
+		if err == nil {
+			email = authEmail
+		}
+	} else { // possible new user
+		// Check all available auth backends
+		for _, provider := range s.auth.GetProvidersForType(authentication.AuthProviderTypePassword) {
+			// try to log in to the given provider
+			authEmail, err := provider.Login(&authentication.AuthContext{
+				Username: username,
+				Password: password,
+			})
+			if err != nil {
+				continue
+			}
+
+			email = authEmail
+			loginProvider = provider
+
+			// create new user in the database (or reactivate him)
+			if user, err = s.users.GetOrCreateUserUnscoped(email); err != nil {
+				s.GetHandleError(c, http.StatusInternalServerError, "login error", "failed to create new user")
+				return
+			}
+			userData, err := loginProvider.GetUserModel(&authentication.AuthContext{
+				Username: email,
+			})
+			if err != nil {
+				s.GetHandleError(c, http.StatusInternalServerError, "login error", err.Error())
+				return
+			}
+			user.Firstname = userData.Firstname
+			user.Lastname = userData.Lastname
+			user.Email = userData.Email
+			user.Phone = userData.Phone
+			user.IsAdmin = userData.IsAdmin
+			user.Source = users.UserSource(loginProvider.GetName())
+			user.DeletedAt = gorm.DeletedAt{} // reset deleted flag
+			if err = s.users.UpdateUser(user); err != nil {
+				s.GetHandleError(c, http.StatusInternalServerError, "login error", "failed to update user data")
+				return
+			}
+			break
+		}
 	}
 
-	// Check if user is in cache, avoid unnecessary ldap requests
-	if !adminAuthenticated && !s.ldapUsers.UserExists(username) {
-		c.Redirect(http.StatusSeeOther, "/auth/login?err=authfail")
-	}
-
-	// Check if username and password match
-	if !adminAuthenticated && !s.ldapAuth.CheckLogin(username, password) {
+	// Check if user is authenticated
+	if email == "" || loginProvider == nil {
 		c.Redirect(http.StatusSeeOther, "/auth/login?err=authfail")
 		return
 	}
 
-	var sessionData SessionData
-	if adminAuthenticated {
-		sessionData = SessionData{
-			LoggedIn:      true,
-			IsAdmin:       true,
-			Email:         "autodetected@example.com",
-			UID:           "adminuid",
-			UserName:      username,
-			Firstname:     "System",
-			Lastname:      "Administrator",
-			SortedBy:      "mail",
-			SortDirection: "asc",
-			Search:        "",
-		}
-	} else {
-		dn := s.ldapUsers.GetUserDN(username)
-		userData := s.ldapUsers.GetUserData(dn)
-		sessionData = SessionData{
-			LoggedIn:      true,
-			IsAdmin:       s.ldapUsers.IsInGroup(username, s.config.AdminLdapGroup),
-			UID:           userData.GetUID(),
-			UserName:      username,
-			Email:         userData.Mail,
-			Firstname:     userData.Firstname,
-			Lastname:      userData.Lastname,
-			SortedBy:      "mail",
-			SortDirection: "asc",
-			Search:        "",
-		}
-	}
+	// Set authenticated session
+	sessionData := GetSessionData(c)
+	sessionData.LoggedIn = true
+	sessionData.IsAdmin = user.IsAdmin
+	sessionData.Email = user.Email
+	sessionData.Firstname = user.Firstname
+	sessionData.Lastname = user.Lastname
 
 	// Check if user already has a peer setup, if not create one
-	if s.config.Core.CreateInterfaceOnLogin && !adminAuthenticated {
-		users := s.users.GetUsersByMail(sessionData.Email)
-
-		if len(users) == 0 { // Create vpn peer
-			err := s.CreateUser(Peer{
+	if s.config.Core.CreateDefaultPeer {
+		peers := s.peers.GetPeersByMail(sessionData.Email)
+		if len(peers) == 0 { // Create vpn peer
+			err := s.CreatePeer(Peer{
 				Identifier: sessionData.Firstname + " " + sessionData.Lastname + " (Default)",
 				Email:      sessionData.Email,
 				CreatedBy:  sessionData.Email,
@@ -111,7 +139,7 @@ func (s *Server) PostLogin(c *gin.Context) {
 		}
 	}
 
-	if err := s.updateSessionData(c, sessionData); err != nil {
+	if err := UpdateSessionData(c, sessionData); err != nil {
 		s.GetHandleError(c, http.StatusInternalServerError, "login error", "failed to save session")
 		return
 	}
@@ -119,14 +147,14 @@ func (s *Server) PostLogin(c *gin.Context) {
 }
 
 func (s *Server) GetLogout(c *gin.Context) {
-	currentSession := s.getSessionData(c)
+	currentSession := GetSessionData(c)
 
 	if !currentSession.LoggedIn { // Not logged in
 		c.Redirect(http.StatusSeeOther, "/")
 		return
 	}
 
-	if err := s.destroySessionData(c); err != nil {
+	if err := DestroySessionData(c); err != nil {
 		s.GetHandleError(c, http.StatusInternalServerError, "logout error", "failed to destroy session")
 		return
 	}
diff --git a/internal/server/handlers_common.go b/internal/server/handlers_common.go
index 192f195..ba1d0ec 100644
--- a/internal/server/handlers_common.go
+++ b/internal/server/handlers_common.go
@@ -15,7 +15,7 @@ func (s *Server) GetHandleError(c *gin.Context, code int, message, details strin
 			"Details": details,
 		},
 		"Route":   c.Request.URL.Path,
-		"Session": s.getSessionData(c),
+		"Session": GetSessionData(c),
 		"Static":  s.getStaticData(),
 	})
 }
@@ -29,90 +29,88 @@ func (s *Server) GetIndex(c *gin.Context) {
 		Device  Device
 	}{
 		Route:   c.Request.URL.Path,
-		Alerts:  s.getFlashes(c),
-		Session: s.getSessionData(c),
+		Alerts:  GetFlashes(c),
+		Session: GetSessionData(c),
 		Static:  s.getStaticData(),
-		Device:  s.users.GetDevice(),
+		Device:  s.peers.GetDevice(),
 	})
 }
 
 func (s *Server) GetAdminIndex(c *gin.Context) {
-	currentSession := s.getSessionData(c)
+	currentSession := GetSessionData(c)
 
 	sort := c.Query("sort")
 	if sort != "" {
-		if currentSession.SortedBy != sort {
-			currentSession.SortedBy = sort
-			currentSession.SortDirection = "asc"
+		if currentSession.SortedBy["peers"] != sort {
+			currentSession.SortedBy["peers"] = sort
+			currentSession.SortDirection["peers"] = "asc"
 		} else {
-			if currentSession.SortDirection == "asc" {
-				currentSession.SortDirection = "desc"
+			if currentSession.SortDirection["peers"] == "asc" {
+				currentSession.SortDirection["peers"] = "desc"
 			} else {
-				currentSession.SortDirection = "asc"
+				currentSession.SortDirection["peers"] = "asc"
 			}
 		}
 
-		if err := s.updateSessionData(c, currentSession); err != nil {
+		if err := UpdateSessionData(c, currentSession); err != nil {
 			s.GetHandleError(c, http.StatusInternalServerError, "sort error", "failed to save session")
 			return
 		}
-		c.Redirect(http.StatusSeeOther, "/admin")
+		c.Redirect(http.StatusSeeOther, "/admin/")
 		return
 	}
 
 	search, searching := c.GetQuery("search")
 	if searching {
-		currentSession.Search = search
+		currentSession.Search["peers"] = search
 
-		if err := s.updateSessionData(c, currentSession); err != nil {
+		if err := UpdateSessionData(c, currentSession); err != nil {
 			s.GetHandleError(c, http.StatusInternalServerError, "search error", "failed to save session")
 			return
 		}
-		c.Redirect(http.StatusSeeOther, "/admin")
+		c.Redirect(http.StatusSeeOther, "/admin/")
 		return
 	}
 
-	device := s.users.GetDevice()
-	users := s.users.GetFilteredAndSortedUsers(currentSession.SortedBy, currentSession.SortDirection, currentSession.Search)
+	device := s.peers.GetDevice()
+	users := s.peers.GetFilteredAndSortedPeers(currentSession.SortedBy["peers"], currentSession.SortDirection["peers"], currentSession.Search["peers"])
 
 	c.HTML(http.StatusOK, "admin_index.html", struct {
-		Route        string
-		Alerts       []FlashData
-		Session      SessionData
-		Static       StaticData
-		Peers        []Peer
-		TotalPeers   int
-		Device       Device
-		LdapDisabled bool
+		Route      string
+		Alerts     []FlashData
+		Session    SessionData
+		Static     StaticData
+		Peers      []Peer
+		TotalPeers int
+		Device     Device
 	}{
-		Route:        c.Request.URL.Path,
-		Alerts:       s.getFlashes(c),
-		Session:      currentSession,
-		Static:       s.getStaticData(),
-		Peers:        users,
-		TotalPeers:   len(s.users.GetAllUsers()),
-		Device:       device,
-		LdapDisabled: s.ldapDisabled,
+		Route:      c.Request.URL.Path,
+		Alerts:     GetFlashes(c),
+		Session:    currentSession,
+		Static:     s.getStaticData(),
+		Peers:      users,
+		TotalPeers: len(s.peers.GetAllPeers()),
+		Device:     device,
 	})
 }
 
 func (s *Server) GetUserIndex(c *gin.Context) {
-	currentSession := s.getSessionData(c)
+	currentSession := GetSessionData(c)
 
 	sort := c.Query("sort")
 	if sort != "" {
-		if currentSession.SortedBy != sort {
-			currentSession.SortedBy = sort
-			currentSession.SortDirection = "asc"
+		if currentSession.SortedBy["userpeers"] != sort {
+			currentSession.SortedBy["userpeers"] = sort
+			currentSession.SortDirection["userpeers"] = "asc"
 		} else {
-			if currentSession.SortDirection == "asc" {
-				currentSession.SortDirection = "desc"
+			if currentSession.SortDirection["userpeers"] == "asc" {
+				currentSession.SortDirection["userpeers"] = "desc"
 			} else {
-				currentSession.SortDirection = "asc"
+				currentSession.SortDirection["userpeers"] = "asc"
 			}
 		}
 
-		if err := s.updateSessionData(c, currentSession); err != nil {
+		if err := UpdateSessionData(c, currentSession); err != nil {
 			s.GetHandleError(c, http.StatusInternalServerError, "sort error", "failed to save session")
 			return
 		}
@@ -120,8 +118,8 @@ func (s *Server) GetUserIndex(c *gin.Context) {
 		return
 	}
 
-	device := s.users.GetDevice()
-	users := s.users.GetSortedUsersForEmail(currentSession.SortedBy, currentSession.SortDirection, currentSession.Email)
+	device := s.peers.GetDevice()
+	users := s.peers.GetSortedPeersForEmail(currentSession.SortedBy["userpeers"], currentSession.SortDirection["userpeers"], currentSession.Email)
 
 	c.HTML(http.StatusOK, "user_index.html", struct {
 		Route      string
@@ -133,7 +131,7 @@ func (s *Server) GetUserIndex(c *gin.Context) {
 		Device     Device
 	}{
 		Route:      c.Request.URL.Path,
-		Alerts:     s.getFlashes(c),
+		Alerts:     GetFlashes(c),
 		Session:    currentSession,
 		Static:     s.getStaticData(),
 		Peers:      users,
@@ -143,29 +141,29 @@ func (s *Server) GetUserIndex(c *gin.Context) {
 }
 
 func (s *Server) updateFormInSession(c *gin.Context, formData interface{}) error {
-	currentSession := s.getSessionData(c)
+	currentSession := GetSessionData(c)
 	currentSession.FormData = formData
 
-	if err := s.updateSessionData(c, currentSession); err != nil {
+	if err := UpdateSessionData(c, currentSession); err != nil {
 		return err
 	}
 
 	return nil
 }
 
-func (s *Server) setNewUserFormInSession(c *gin.Context) (SessionData, error) {
-	currentSession := s.getSessionData(c)
-	// If session does not contain a user form ignore update
+func (s *Server) setNewPeerFormInSession(c *gin.Context) (SessionData, error) {
+	currentSession := GetSessionData(c)
+	// If session does not contain a peer form ignore update
 	// If url contains a formerr parameter reset the form
 	if currentSession.FormData == nil || c.Query("formerr") == "" {
-		user, err := s.PrepareNewUser()
+		user, err := s.PrepareNewPeer()
 		if err != nil {
 			return currentSession, err
 		}
 		currentSession.FormData = user
 	}
 
-	if err := s.updateSessionData(c, currentSession); err != nil {
+	if err := UpdateSessionData(c, currentSession); err != nil {
 		return currentSession, err
 	}
 
@@ -173,14 +171,14 @@ func (s *Server) setNewUserFormInSession(c *gin.Context) (SessionData, error) {
 }
 
 func (s *Server) setFormInSession(c *gin.Context, formData interface{}) (SessionData, error) {
-	currentSession := s.getSessionData(c)
+	currentSession := GetSessionData(c)
 	// If session does not contain a form ignore update
 	// If url contains a formerr parameter reset the form
 	if currentSession.FormData == nil || c.Query("formerr") == "" {
 		currentSession.FormData = formData
 	}
 
-	if err := s.updateSessionData(c, currentSession); err != nil {
+	if err := UpdateSessionData(c, currentSession); err != nil {
 		return currentSession, err
 	}
 
diff --git a/internal/server/handlers_interface.go b/internal/server/handlers_interface.go
index 1269c5b..77a152e 100644
--- a/internal/server/handlers_interface.go
+++ b/internal/server/handlers_interface.go
@@ -9,8 +9,8 @@ import (
 )
 
 func (s *Server) GetAdminEditInterface(c *gin.Context) {
-	device := s.users.GetDevice()
-	users := s.users.GetAllUsers()
+	device := s.peers.GetDevice()
+	users := s.peers.GetAllPeers()
 
 	currentSession, err := s.setFormInSession(c, device)
 	if err != nil {
@@ -28,7 +28,7 @@ func (s *Server) GetAdminEditInterface(c *gin.Context) {
 		EditableKeys bool
 	}{
 		Route:        c.Request.URL.Path,
-		Alerts:       s.getFlashes(c),
+		Alerts:       GetFlashes(c),
 		Session:      currentSession,
 		Static:       s.getStaticData(),
 		Peers:        users,
@@ -38,14 +38,14 @@ func (s *Server) GetAdminEditInterface(c *gin.Context) {
 }
 
 func (s *Server) PostAdminEditInterface(c *gin.Context) {
-	currentSession := s.getSessionData(c)
+	currentSession := GetSessionData(c)
 	var formDevice Device
 	if currentSession.FormData != nil {
 		formDevice = currentSession.FormData.(Device)
 	}
 	if err := c.ShouldBind(&formDevice); err != nil {
 		_ = s.updateFormInSession(c, formDevice)
-		s.setFlashMessage(c, err.Error(), "danger")
+		SetFlashMessage(c, err.Error(), "danger")
 		c.Redirect(http.StatusSeeOther, "/admin/device/edit?formerr=bind")
 		return
 	}
@@ -61,16 +61,16 @@ func (s *Server) PostAdminEditInterface(c *gin.Context) {
 	err := s.wg.UpdateDevice(formDevice.DeviceName, formDevice.GetConfig())
 	if err != nil {
 		_ = s.updateFormInSession(c, formDevice)
-		s.setFlashMessage(c, "Failed to update device in WireGuard: "+err.Error(), "danger")
+		SetFlashMessage(c, "Failed to update device in WireGuard: "+err.Error(), "danger")
 		c.Redirect(http.StatusSeeOther, "/admin/device/edit?formerr=wg")
 		return
 	}
 
 	// Update in database
-	err = s.users.UpdateDevice(formDevice)
+	err = s.peers.UpdateDevice(formDevice)
 	if err != nil {
 		_ = s.updateFormInSession(c, formDevice)
-		s.setFlashMessage(c, "Failed to update device in database: "+err.Error(), "danger")
+		SetFlashMessage(c, "Failed to update device in database: "+err.Error(), "danger")
 		c.Redirect(http.StatusSeeOther, "/admin/device/edit?formerr=update")
 		return
 	}
@@ -79,7 +79,7 @@ func (s *Server) PostAdminEditInterface(c *gin.Context) {
 	err = s.WriteWireGuardConfigFile()
 	if err != nil {
 		_ = s.updateFormInSession(c, formDevice)
-		s.setFlashMessage(c, "Failed to update WireGuard config-file: "+err.Error(), "danger")
+		SetFlashMessage(c, "Failed to update WireGuard config-file: "+err.Error(), "danger")
 		c.Redirect(http.StatusSeeOther, "/admin/device/edit?formerr=update")
 		return
 	}
@@ -88,26 +88,26 @@ func (s *Server) PostAdminEditInterface(c *gin.Context) {
 	if s.config.WG.ManageIPAddresses {
 		if err := s.wg.SetIPAddress(formDevice.IPs); err != nil {
 			_ = s.updateFormInSession(c, formDevice)
-			s.setFlashMessage(c, "Failed to update ip address: "+err.Error(), "danger")
+			SetFlashMessage(c, "Failed to update ip address: "+err.Error(), "danger")
 			c.Redirect(http.StatusSeeOther, "/admin/device/edit?formerr=update")
 		}
 		if err := s.wg.SetMTU(formDevice.Mtu); err != nil {
 			_ = s.updateFormInSession(c, formDevice)
-			s.setFlashMessage(c, "Failed to update MTU: "+err.Error(), "danger")
+			SetFlashMessage(c, "Failed to update MTU: "+err.Error(), "danger")
 			c.Redirect(http.StatusSeeOther, "/admin/device/edit?formerr=update")
 		}
 	}
 
-	s.setFlashMessage(c, "Changes applied successfully!", "success")
+	SetFlashMessage(c, "Changes applied successfully!", "success")
 	if !s.config.WG.ManageIPAddresses {
-		s.setFlashMessage(c, "WireGuard must be restarted to apply ip changes.", "warning")
+		SetFlashMessage(c, "WireGuard must be restarted to apply ip changes.", "warning")
 	}
 	c.Redirect(http.StatusSeeOther, "/admin/device/edit")
 }
 
 func (s *Server) GetInterfaceConfig(c *gin.Context) {
-	device := s.users.GetDevice()
-	users := s.users.GetActiveUsers()
+	device := s.peers.GetDevice()
+	users := s.peers.GetActivePeers()
 	cfg, err := device.GetConfigFile(users)
 	if err != nil {
 		s.GetHandleError(c, http.StatusInternalServerError, "ConfigFile error", err.Error())
@@ -122,19 +122,19 @@ func (s *Server) GetInterfaceConfig(c *gin.Context) {
 }
 
 func (s *Server) GetApplyGlobalConfig(c *gin.Context) {
-	device := s.users.GetDevice()
-	users := s.users.GetAllUsers()
+	device := s.peers.GetDevice()
+	users := s.peers.GetAllPeers()
 
 	for _, user := range users {
 		user.AllowedIPs = device.AllowedIPs
 		user.AllowedIPsStr = device.AllowedIPsStr
-		if err := s.users.UpdateUser(user); err != nil {
-			s.setFlashMessage(c, err.Error(), "danger")
+		if err := s.peers.UpdatePeer(user); err != nil {
+			SetFlashMessage(c, err.Error(), "danger")
 			c.Redirect(http.StatusSeeOther, "/admin/device/edit")
 		}
 	}
 
-	s.setFlashMessage(c, "Allowed IP's updated for all clients.", "success")
+	SetFlashMessage(c, "Allowed IP's updated for all clients.", "success")
 	c.Redirect(http.StatusSeeOther, "/admin/device/edit")
 	return
 }
diff --git a/internal/server/handlers_peer.go b/internal/server/handlers_peer.go
index 598b10b..ae05236 100644
--- a/internal/server/handlers_peer.go
+++ b/internal/server/handlers_peer.go
@@ -10,7 +10,7 @@ import (
 
 	"github.com/gin-gonic/gin"
 	"github.com/h44z/wg-portal/internal/common"
-	"github.com/h44z/wg-portal/internal/ldap"
+	"github.com/h44z/wg-portal/internal/users"
 	"github.com/sirupsen/logrus"
 	"github.com/tatsushid/go-fastping"
 )
@@ -21,10 +21,10 @@ type LdapCreateForm struct {
 }
 
 func (s *Server) GetAdminEditPeer(c *gin.Context) {
-	device := s.users.GetDevice()
-	user := s.users.GetUserByKey(c.Query("pkey"))
+	device := s.peers.GetDevice()
+	peer := s.peers.GetPeerByKey(c.Query("pkey"))
 
-	currentSession, err := s.setFormInSession(c, user)
+	currentSession, err := s.setFormInSession(c, peer)
 	if err != nil {
 		s.GetHandleError(c, http.StatusInternalServerError, "Session error", err.Error())
 		return
@@ -40,7 +40,7 @@ func (s *Server) GetAdminEditPeer(c *gin.Context) {
 		EditableKeys bool
 	}{
 		Route:        c.Request.URL.Path,
-		Alerts:       s.getFlashes(c),
+		Alerts:       GetFlashes(c),
 		Session:      currentSession,
 		Static:       s.getStaticData(),
 		Peer:         currentSession.FormData.(Peer),
@@ -50,17 +50,17 @@ func (s *Server) GetAdminEditPeer(c *gin.Context) {
 }
 
 func (s *Server) PostAdminEditPeer(c *gin.Context) {
-	currentUser := s.users.GetUserByKey(c.Query("pkey"))
+	currentPeer := s.peers.GetPeerByKey(c.Query("pkey"))
 	urlEncodedKey := url.QueryEscape(c.Query("pkey"))
 
-	currentSession := s.getSessionData(c)
+	currentSession := GetSessionData(c)
 	var formPeer Peer
 	if currentSession.FormData != nil {
 		formPeer = currentSession.FormData.(Peer)
 	}
 	if err := c.ShouldBind(&formPeer); err != nil {
 		_ = s.updateFormInSession(c, formPeer)
-		s.setFlashMessage(c, "failed to bind form data: "+err.Error(), "danger")
+		SetFlashMessage(c, "failed to bind form data: "+err.Error(), "danger")
 		c.Redirect(http.StatusSeeOther, "/admin/peer/edit?pkey="+urlEncodedKey+"&formerr=bind")
 		return
 	}
@@ -73,28 +73,28 @@ func (s *Server) PostAdminEditPeer(c *gin.Context) {
 
 	disabled := c.PostForm("isdisabled") != ""
 	now := time.Now()
-	if disabled && currentUser.DeactivatedAt == nil {
+	if disabled && currentPeer.DeactivatedAt == nil {
 		formPeer.DeactivatedAt = &now
 	} else if !disabled {
 		formPeer.DeactivatedAt = nil
 	}
 
 	// Update in database
-	if err := s.UpdateUser(formPeer, now); err != nil {
+	if err := s.UpdatePeer(formPeer, now); err != nil {
 		_ = s.updateFormInSession(c, formPeer)
-		s.setFlashMessage(c, "failed to update user: "+err.Error(), "danger")
+		SetFlashMessage(c, "failed to update user: "+err.Error(), "danger")
 		c.Redirect(http.StatusSeeOther, "/admin/peer/edit?pkey="+urlEncodedKey+"&formerr=update")
 		return
 	}
 
-	s.setFlashMessage(c, "changes applied successfully", "success")
+	SetFlashMessage(c, "changes applied successfully", "success")
 	c.Redirect(http.StatusSeeOther, "/admin/peer/edit?pkey="+urlEncodedKey)
 }
 
 func (s *Server) GetAdminCreatePeer(c *gin.Context) {
-	device := s.users.GetDevice()
+	device := s.peers.GetDevice()
 
-	currentSession, err := s.setNewUserFormInSession(c)
+	currentSession, err := s.setNewPeerFormInSession(c)
 	if err != nil {
 		s.GetHandleError(c, http.StatusInternalServerError, "Session error", err.Error())
 		return
@@ -109,7 +109,7 @@ func (s *Server) GetAdminCreatePeer(c *gin.Context) {
 		EditableKeys bool
 	}{
 		Route:        c.Request.URL.Path,
-		Alerts:       s.getFlashes(c),
+		Alerts:       GetFlashes(c),
 		Session:      currentSession,
 		Static:       s.getStaticData(),
 		Peer:         currentSession.FormData.(Peer),
@@ -119,14 +119,14 @@ func (s *Server) GetAdminCreatePeer(c *gin.Context) {
 }
 
 func (s *Server) PostAdminCreatePeer(c *gin.Context) {
-	currentSession := s.getSessionData(c)
+	currentSession := GetSessionData(c)
 	var formPeer Peer
 	if currentSession.FormData != nil {
 		formPeer = currentSession.FormData.(Peer)
 	}
 	if err := c.ShouldBind(&formPeer); err != nil {
 		_ = s.updateFormInSession(c, formPeer)
-		s.setFlashMessage(c, "failed to bind form data: "+err.Error(), "danger")
+		SetFlashMessage(c, "failed to bind form data: "+err.Error(), "danger")
 		c.Redirect(http.StatusSeeOther, "/admin/peer/create?formerr=bind")
 		return
 	}
@@ -143,14 +143,14 @@ func (s *Server) PostAdminCreatePeer(c *gin.Context) {
 		formPeer.DeactivatedAt = &now
 	}
 
-	if err := s.CreateUser(formPeer); err != nil {
+	if err := s.CreatePeer(formPeer); err != nil {
 		_ = s.updateFormInSession(c, formPeer)
-		s.setFlashMessage(c, "failed to add user: "+err.Error(), "danger")
+		SetFlashMessage(c, "failed to add user: "+err.Error(), "danger")
 		c.Redirect(http.StatusSeeOther, "/admin/peer/create?formerr=create")
 		return
 	}
 
-	s.setFlashMessage(c, "client created successfully", "success")
+	SetFlashMessage(c, "client created successfully", "success")
 	c.Redirect(http.StatusSeeOther, "/admin")
 }
 
@@ -166,29 +166,29 @@ func (s *Server) GetAdminCreateLdapPeers(c *gin.Context) {
 		Alerts   []FlashData
 		Session  SessionData
 		Static   StaticData
-		Users    []*ldap.UserCacheHolderEntry
+		Users    []users.User
 		FormData LdapCreateForm
 		Device   Device
 	}{
 		Route:    c.Request.URL.Path,
-		Alerts:   s.getFlashes(c),
+		Alerts:   GetFlashes(c),
 		Session:  currentSession,
 		Static:   s.getStaticData(),
-		Users:    s.ldapUsers.GetSortedUsers("sn", "asc"),
+		Users:    s.users.GetFilteredAndSortedUsers("lastname", "asc", ""),
 		FormData: currentSession.FormData.(LdapCreateForm),
-		Device:   s.users.GetDevice(),
+		Device:   s.peers.GetDevice(),
 	})
 }
 
 func (s *Server) PostAdminCreateLdapPeers(c *gin.Context) {
-	currentSession := s.getSessionData(c)
+	currentSession := GetSessionData(c)
 	var formData LdapCreateForm
 	if currentSession.FormData != nil {
 		formData = currentSession.FormData.(LdapCreateForm)
 	}
 	if err := c.ShouldBind(&formData); err != nil {
 		_ = s.updateFormInSession(c, formData)
-		s.setFlashMessage(c, "failed to bind form data: "+err.Error(), "danger")
+		SetFlashMessage(c, "failed to bind form data: "+err.Error(), "danger")
 		c.Redirect(http.StatusSeeOther, "/admin/peer/createldap?formerr=bind")
 		return
 	}
@@ -196,9 +196,9 @@ func (s *Server) PostAdminCreateLdapPeers(c *gin.Context) {
 	emails := common.ParseStringList(formData.Emails)
 	for i := range emails {
 		// TODO: also check email addr for validity?
-		if !strings.ContainsRune(emails[i], '@') || s.ldapUsers.GetUserDNByMail(emails[i]) == "" {
+		if !strings.ContainsRune(emails[i], '@') || s.users.GetUser(emails[i]) == nil {
 			_ = s.updateFormInSession(c, formData)
-			s.setFlashMessage(c, "invalid email address: "+emails[i], "danger")
+			SetFlashMessage(c, "invalid email address: "+emails[i], "danger")
 			c.Redirect(http.StatusSeeOther, "/admin/peer/createldap?formerr=mail")
 			return
 		}
@@ -207,31 +207,31 @@ func (s *Server) PostAdminCreateLdapPeers(c *gin.Context) {
 	logrus.Infof("creating %d ldap peers", len(emails))
 
 	for i := range emails {
-		if err := s.CreateUserByEmail(emails[i], formData.Identifier, false); err != nil {
+		if err := s.CreatePeerByEmail(emails[i], formData.Identifier, false); err != nil {
 			_ = s.updateFormInSession(c, formData)
-			s.setFlashMessage(c, "failed to add user: "+err.Error(), "danger")
+			SetFlashMessage(c, "failed to add user: "+err.Error(), "danger")
 			c.Redirect(http.StatusSeeOther, "/admin/peer/createldap?formerr=create")
 			return
 		}
 	}
 
-	s.setFlashMessage(c, "client(s) created successfully", "success")
+	SetFlashMessage(c, "client(s) created successfully", "success")
 	c.Redirect(http.StatusSeeOther, "/admin/peer/createldap")
 }
 
 func (s *Server) GetAdminDeletePeer(c *gin.Context) {
-	currentUser := s.users.GetUserByKey(c.Query("pkey"))
-	if err := s.DeleteUser(currentUser); err != nil {
+	currentUser := s.peers.GetPeerByKey(c.Query("pkey"))
+	if err := s.DeletePeer(currentUser); err != nil {
 		s.GetHandleError(c, http.StatusInternalServerError, "Deletion error", err.Error())
 		return
 	}
-	s.setFlashMessage(c, "user deleted successfully", "success")
+	SetFlashMessage(c, "user deleted successfully", "success")
 	c.Redirect(http.StatusSeeOther, "/admin")
 }
 
 func (s *Server) GetPeerQRCode(c *gin.Context) {
-	user := s.users.GetUserByKey(c.Query("pkey"))
-	currentSession := s.getSessionData(c)
+	user := s.peers.GetPeerByKey(c.Query("pkey"))
+	currentSession := GetSessionData(c)
 	if !currentSession.IsAdmin && user.Email != currentSession.Email {
 		s.GetHandleError(c, http.StatusUnauthorized, "No permissions", "You don't have permissions to view this resource!")
 		return
@@ -247,14 +247,14 @@ func (s *Server) GetPeerQRCode(c *gin.Context) {
 }
 
 func (s *Server) GetPeerConfig(c *gin.Context) {
-	user := s.users.GetUserByKey(c.Query("pkey"))
-	currentSession := s.getSessionData(c)
+	user := s.peers.GetPeerByKey(c.Query("pkey"))
+	currentSession := GetSessionData(c)
 	if !currentSession.IsAdmin && user.Email != currentSession.Email {
 		s.GetHandleError(c, http.StatusUnauthorized, "No permissions", "You don't have permissions to view this resource!")
 		return
 	}
 
-	cfg, err := user.GetConfigFile(s.users.GetDevice())
+	cfg, err := user.GetConfigFile(s.peers.GetDevice())
 	if err != nil {
 		s.GetHandleError(c, http.StatusInternalServerError, "ConfigFile error", err.Error())
 		return
@@ -266,14 +266,14 @@ func (s *Server) GetPeerConfig(c *gin.Context) {
 }
 
 func (s *Server) GetPeerConfigMail(c *gin.Context) {
-	user := s.users.GetUserByKey(c.Query("pkey"))
-	currentSession := s.getSessionData(c)
+	user := s.peers.GetPeerByKey(c.Query("pkey"))
+	currentSession := GetSessionData(c)
 	if !currentSession.IsAdmin && user.Email != currentSession.Email {
 		s.GetHandleError(c, http.StatusUnauthorized, "No permissions", "You don't have permissions to view this resource!")
 		return
 	}
 
-	cfg, err := user.GetConfigFile(s.users.GetDevice())
+	cfg, err := user.GetConfigFile(s.peers.GetDevice())
 	if err != nil {
 		s.GetHandleError(c, http.StatusInternalServerError, "ConfigFile error", err.Error())
 		return
@@ -319,13 +319,13 @@ func (s *Server) GetPeerConfigMail(c *gin.Context) {
 		return
 	}
 
-	s.setFlashMessage(c, "mail sent successfully", "success")
+	SetFlashMessage(c, "mail sent successfully", "success")
 	c.Redirect(http.StatusSeeOther, "/admin")
 }
 
 func (s *Server) GetPeerStatus(c *gin.Context) {
-	user := s.users.GetUserByKey(c.Query("pkey"))
-	currentSession := s.getSessionData(c)
+	user := s.peers.GetPeerByKey(c.Query("pkey"))
+	currentSession := GetSessionData(c)
 	if !currentSession.IsAdmin && user.Email != currentSession.Email {
 		s.GetHandleError(c, http.StatusUnauthorized, "No permissions", "You don't have permissions to view this resource!")
 		return
diff --git a/internal/server/handlers_user.go b/internal/server/handlers_user.go
new file mode 100644
index 0000000..c0a4400
--- /dev/null
+++ b/internal/server/handlers_user.go
@@ -0,0 +1,269 @@
+package server
+
+import (
+	"net/http"
+	"net/url"
+	"time"
+
+	"github.com/gin-gonic/gin"
+	"github.com/h44z/wg-portal/internal/users"
+	"github.com/sirupsen/logrus"
+	"golang.org/x/crypto/bcrypt"
+	"gorm.io/gorm"
+)
+
+func (s *Server) GetAdminUsersIndex(c *gin.Context) {
+	currentSession := GetSessionData(c)
+
+	sort := c.Query("sort")
+	if sort != "" {
+		if currentSession.SortedBy["users"] != sort {
+			currentSession.SortedBy["users"] = sort
+			currentSession.SortDirection["users"] = "asc"
+		} else {
+			if currentSession.SortDirection["users"] == "asc" {
+				currentSession.SortDirection["users"] = "desc"
+			} else {
+				currentSession.SortDirection["users"] = "asc"
+			}
+		}
+
+		if err := UpdateSessionData(c, currentSession); err != nil {
+			s.GetHandleError(c, http.StatusInternalServerError, "sort error", "failed to save session")
+			return
+		}
+		c.Redirect(http.StatusSeeOther, "/admin/users/")
+		return
+	}
+
+	search, searching := c.GetQuery("search")
+	if searching {
+		currentSession.Search["users"] = search
+
+		if err := UpdateSessionData(c, currentSession); err != nil {
+			s.GetHandleError(c, http.StatusInternalServerError, "search error", "failed to save session")
+			return
+		}
+		c.Redirect(http.StatusSeeOther, "/admin/users/")
+		return
+	}
+
+	dbUsers := s.users.GetFilteredAndSortedUsersUnscoped(currentSession.SortedBy["users"], currentSession.SortDirection["users"], currentSession.Search["users"])
+
+	c.HTML(http.StatusOK, "admin_user_index.html", struct {
+		Route      string
+		Alerts     []FlashData
+		Session    SessionData
+		Static     StaticData
+		Users      []users.User
+		TotalUsers int
+		Device     Device
+	}{
+		Route:      c.Request.URL.Path,
+		Alerts:     GetFlashes(c),
+		Session:    currentSession,
+		Static:     s.getStaticData(),
+		Users:      dbUsers,
+		TotalUsers: len(s.users.GetUsers()),
+		Device:     s.peers.GetDevice(),
+	})
+}
+
+func (s *Server) GetAdminUsersEdit(c *gin.Context) {
+	user := s.users.GetUserUnscoped(c.Query("pkey"))
+
+	currentSession, err := s.setFormInSession(c, *user)
+	if err != nil {
+		s.GetHandleError(c, http.StatusInternalServerError, "Session error", err.Error())
+		return
+	}
+
+	c.HTML(http.StatusOK, "admin_edit_user.html", struct {
+		Route   string
+		Alerts  []FlashData
+		Session SessionData
+		Static  StaticData
+		User    users.User
+		Device  Device
+		Epoch   time.Time
+	}{
+		Route:   c.Request.URL.Path,
+		Alerts:  GetFlashes(c),
+		Session: currentSession,
+		Static:  s.getStaticData(),
+		User:    currentSession.FormData.(users.User),
+		Device:  s.peers.GetDevice(),
+	})
+}
+
+func (s *Server) PostAdminUsersEdit(c *gin.Context) {
+	currentUser := s.users.GetUserUnscoped(c.Query("pkey"))
+	if currentUser == nil {
+		SetFlashMessage(c, "invalid user", "danger")
+		c.Redirect(http.StatusSeeOther, "/admin/users/")
+		return
+	}
+	urlEncodedKey := url.QueryEscape(c.Query("pkey"))
+
+	currentSession := GetSessionData(c)
+	var formUser users.User
+	if currentSession.FormData != nil {
+		formUser = currentSession.FormData.(users.User)
+	}
+	if err := c.ShouldBind(&formUser); err != nil {
+		_ = s.updateFormInSession(c, formUser)
+		SetFlashMessage(c, "failed to bind form data: "+err.Error(), "danger")
+		c.Redirect(http.StatusSeeOther, "/admin/users/edit?pkey="+urlEncodedKey+"&formerr=bind")
+		return
+	}
+
+	if formUser.Password != "" {
+		hashedPassword, err := bcrypt.GenerateFromPassword([]byte(formUser.Password), bcrypt.DefaultCost)
+		if err != nil {
+			_ = s.updateFormInSession(c, formUser)
+			SetFlashMessage(c, "failed to hash admin password", "danger")
+			c.Redirect(http.StatusSeeOther, "/admin/users/edit?pkey="+urlEncodedKey+"&formerr=bind")
+			return
+		}
+		formUser.Password = string(hashedPassword)
+	} else {
+		formUser.Password = currentUser.Password
+	}
+
+	disabled := c.PostForm("isdisabled") != ""
+	if disabled {
+		formUser.DeletedAt = gorm.DeletedAt{
+			Time:  time.Now(),
+			Valid: true,
+		}
+	} else {
+		formUser.DeletedAt = gorm.DeletedAt{}
+	}
+	formUser.IsAdmin = c.PostForm("isadmin") == "true"
+
+	// Update peers
+	if disabled != currentUser.DeletedAt.Valid {
+		if disabled {
+			// disable all peers for the given user
+			for _, peer := range s.peers.GetPeersByMail(currentUser.Email) {
+				now := time.Now()
+				peer.DeactivatedAt = &now
+				if err := s.UpdatePeer(peer, now); err != nil {
+					logrus.Errorf("failed to update deactivated peer %s: %v", peer.PublicKey, err)
+				}
+			}
+		} else {
+			// enable all peers for the given user
+			for _, peer := range s.peers.GetPeersByMail(currentUser.Email) {
+				now := time.Now()
+				peer.DeactivatedAt = nil
+				if err := s.UpdatePeer(peer, now); err != nil {
+					logrus.Errorf("failed to update activated peer %s: %v", peer.PublicKey, err)
+				}
+			}
+		}
+	}
+
+	// Update in database
+	if err := s.users.UpdateUser(&formUser); err != nil {
+		_ = s.updateFormInSession(c, formUser)
+		SetFlashMessage(c, "failed to update user: "+err.Error(), "danger")
+		c.Redirect(http.StatusSeeOther, "/admin/users/edit?pkey="+urlEncodedKey+"&formerr=update")
+		return
+	}
+
+	SetFlashMessage(c, "changes applied successfully", "success")
+	c.Redirect(http.StatusSeeOther, "/admin/users/edit?pkey="+urlEncodedKey)
+}
+
+func (s *Server) GetAdminUsersCreate(c *gin.Context) {
+	user := users.User{}
+
+	currentSession, err := s.setFormInSession(c, user)
+	if err != nil {
+		s.GetHandleError(c, http.StatusInternalServerError, "Session error", err.Error())
+		return
+	}
+
+	c.HTML(http.StatusOK, "admin_edit_user.html", struct {
+		Route   string
+		Alerts  []FlashData
+		Session SessionData
+		Static  StaticData
+		User    users.User
+		Device  Device
+		Epoch   time.Time
+	}{
+		Route:   c.Request.URL.Path,
+		Alerts:  GetFlashes(c),
+		Session: currentSession,
+		Static:  s.getStaticData(),
+		User:    currentSession.FormData.(users.User),
+		Device:  s.peers.GetDevice(),
+	})
+}
+
+func (s *Server) PostAdminUsersCreate(c *gin.Context) {
+	currentSession := GetSessionData(c)
+	var formUser users.User
+	if currentSession.FormData != nil {
+		formUser = currentSession.FormData.(users.User)
+	}
+	if err := c.ShouldBind(&formUser); err != nil {
+		_ = s.updateFormInSession(c, formUser)
+		SetFlashMessage(c, "failed to bind form data: "+err.Error(), "danger")
+		c.Redirect(http.StatusSeeOther, "/admin/users/create?formerr=bind")
+		return
+	}
+
+	if formUser.Password != "" {
+		hashedPassword, err := bcrypt.GenerateFromPassword([]byte(formUser.Password), bcrypt.DefaultCost)
+		if err != nil {
+			SetFlashMessage(c, "failed to hash admin password", "danger")
+			c.Redirect(http.StatusSeeOther, "/admin/users/create?formerr=bind")
+			return
+		}
+		formUser.Password = string(hashedPassword)
+	} else {
+		_ = s.updateFormInSession(c, formUser)
+		SetFlashMessage(c, "invalid password", "danger")
+		c.Redirect(http.StatusSeeOther, "/admin/users/create?formerr=create")
+		return
+	}
+
+	disabled := c.PostForm("isdisabled") != ""
+	if disabled {
+		formUser.DeletedAt = gorm.DeletedAt{
+			Time:  time.Now(),
+			Valid: true,
+		}
+	} else {
+		formUser.DeletedAt = gorm.DeletedAt{}
+	}
+	formUser.IsAdmin = c.PostForm("isadmin") == "true"
+	formUser.Source = users.UserSourceDatabase
+	if err := s.users.CreateUser(&formUser); err != nil {
+		formUser.CreatedAt = time.Time{} // reset created time
+		_ = s.updateFormInSession(c, formUser)
+		SetFlashMessage(c, "failed to add user: "+err.Error(), "danger")
+		c.Redirect(http.StatusSeeOther, "/admin/users/create?formerr=create")
+		return
+	}
+
+	// Check if user already has a peer setup, if not create one
+	if s.config.Core.CreateDefaultPeer {
+		peers := s.peers.GetPeersByMail(formUser.Email)
+		if len(peers) == 0 { // Create vpn peer
+			err := s.CreatePeer(Peer{
+				Identifier: formUser.Firstname + " " + formUser.Lastname + " (Default)",
+				Email:      formUser.Email,
+				CreatedBy:  formUser.Email,
+				UpdatedBy:  formUser.Email,
+			})
+			logrus.Errorf("Failed to automatically create vpn peer for %s: %v", formUser.Email, err)
+		}
+	}
+
+	SetFlashMessage(c, "user created successfully", "success")
+	c.Redirect(http.StatusSeeOther, "/admin/users/")
+}
diff --git a/internal/server/helper.go b/internal/server/helper.go
index ab3d579..0b59aa4 100644
--- a/internal/server/helper.go
+++ b/internal/server/helper.go
@@ -2,25 +2,25 @@ package server
 
 import (
 	"crypto/md5"
-	"errors"
 	"fmt"
 	"io/ioutil"
 	"syscall"
 	"time"
 
 	"github.com/h44z/wg-portal/internal/common"
+	"github.com/pkg/errors"
 	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
 )
 
-func (s *Server) PrepareNewUser() (Peer, error) {
-	device := s.users.GetDevice()
+func (s *Server) PrepareNewPeer() (Peer, error) {
+	device := s.peers.GetDevice()
 
 	peer := Peer{}
 	peer.IsNew = true
 	peer.AllowedIPsStr = device.AllowedIPsStr
 	peer.IPs = make([]string, len(device.IPs))
 	for i := range device.IPs {
-		freeIP, err := s.users.GetAvailableIp(device.IPs[i])
+		freeIP, err := s.peers.GetAvailableIp(device.IPs[i])
 		if err != nil {
 			return Peer{}, err
 		}
@@ -43,18 +43,19 @@ func (s *Server) PrepareNewUser() (Peer, error) {
 	return peer, nil
 }
 
-func (s *Server) CreateUserByEmail(email, identifierSuffix string, disabled bool) error {
-	ldapUser := s.ldapUsers.GetUserData(s.ldapUsers.GetUserDNByMail(email))
-	if ldapUser.DN == "" {
-		return errors.New("no peer with email " + email + " found")
+func (s *Server) CreatePeerByEmail(email, identifierSuffix string, disabled bool) error {
+	user, err := s.users.GetOrCreateUser(email)
+	if err != nil {
+		return errors.WithMessagef(err, "failed to load/create related user %s", email)
 	}
 
-	device := s.users.GetDevice()
+	device := s.peers.GetDevice()
 	peer := Peer{}
+	peer.User = user
 	peer.AllowedIPsStr = device.AllowedIPsStr
 	peer.IPs = make([]string, len(device.IPs))
 	for i := range device.IPs {
-		freeIP, err := s.users.GetAvailableIp(device.IPs[i])
+		freeIP, err := s.peers.GetAvailableIp(device.IPs[i])
 		if err != nil {
 			return err
 		}
@@ -74,30 +75,30 @@ func (s *Server) CreateUserByEmail(email, identifierSuffix string, disabled bool
 	peer.PublicKey = key.PublicKey().String()
 	peer.UID = fmt.Sprintf("u%x", md5.Sum([]byte(peer.PublicKey)))
 	peer.Email = email
-	peer.Identifier = fmt.Sprintf("%s %s (%s)", ldapUser.Firstname, ldapUser.Lastname, identifierSuffix)
+	peer.Identifier = fmt.Sprintf("%s %s (%s)", user.Firstname, user.Lastname, identifierSuffix)
 	now := time.Now()
 	if disabled {
 		peer.DeactivatedAt = &now
 	}
 
-	return s.CreateUser(peer)
+	return s.CreatePeer(peer)
 }
 
-func (s *Server) CreateUser(user Peer) error {
-
-	device := s.users.GetDevice()
-	user.AllowedIPsStr = device.AllowedIPsStr
-	if len(user.IPs) == 0 {
+func (s *Server) CreatePeer(peer Peer) error {
+	device := s.peers.GetDevice()
+	peer.AllowedIPsStr = device.AllowedIPsStr
+	if peer.IPs == nil || len(peer.IPs) == 0 {
+		peer.IPs = make([]string, len(device.IPs))
 		for i := range device.IPs {
-			freeIP, err := s.users.GetAvailableIp(device.IPs[i])
+			freeIP, err := s.peers.GetAvailableIp(device.IPs[i])
 			if err != nil {
 				return err
 			}
-			user.IPs[i] = freeIP
+			peer.IPs[i] = freeIP
 		}
-		user.IPsStr = common.ListToString(user.IPs)
+		peer.IPsStr = common.ListToString(peer.IPs)
 	}
-	if user.PrivateKey == "" { // if private key is empty create a new one
+	if peer.PrivateKey == "" { // if private key is empty create a new one
 		psk, err := wgtypes.GenerateKey()
 		if err != nil {
 			return err
@@ -106,60 +107,60 @@ func (s *Server) CreateUser(user Peer) error {
 		if err != nil {
 			return err
 		}
-		user.PresharedKey = psk.String()
-		user.PrivateKey = key.String()
-		user.PublicKey = key.PublicKey().String()
+		peer.PresharedKey = psk.String()
+		peer.PrivateKey = key.String()
+		peer.PublicKey = key.PublicKey().String()
 	}
-	user.UID = fmt.Sprintf("u%x", md5.Sum([]byte(user.PublicKey)))
+	peer.UID = fmt.Sprintf("u%x", md5.Sum([]byte(peer.PublicKey)))
 
 	// Create WireGuard interface
-	if user.DeactivatedAt == nil {
-		if err := s.wg.AddPeer(user.GetConfig()); err != nil {
+	if peer.DeactivatedAt == nil {
+		if err := s.wg.AddPeer(peer.GetConfig()); err != nil {
 			return err
 		}
 	}
 
 	// Create in database
-	if err := s.users.CreateUser(user); err != nil {
+	if err := s.peers.CreatePeer(peer); err != nil {
 		return err
 	}
 
 	return s.WriteWireGuardConfigFile()
 }
 
-func (s *Server) UpdateUser(user Peer, updateTime time.Time) error {
-	currentUser := s.users.GetUserByKey(user.PublicKey)
+func (s *Server) UpdatePeer(peer Peer, updateTime time.Time) error {
+	currentPeer := s.peers.GetPeerByKey(peer.PublicKey)
 
 	// Update WireGuard device
 	var err error
 	switch {
-	case user.DeactivatedAt == &updateTime:
-		err = s.wg.RemovePeer(user.PublicKey)
-	case user.DeactivatedAt == nil && currentUser.Peer != nil:
-		err = s.wg.UpdatePeer(user.GetConfig())
-	case user.DeactivatedAt == nil && currentUser.Peer == nil:
-		err = s.wg.AddPeer(user.GetConfig())
+	case peer.DeactivatedAt == &updateTime:
+		err = s.wg.RemovePeer(peer.PublicKey)
+	case peer.DeactivatedAt == nil && currentPeer.Peer != nil:
+		err = s.wg.UpdatePeer(peer.GetConfig())
+	case peer.DeactivatedAt == nil && currentPeer.Peer == nil:
+		err = s.wg.AddPeer(peer.GetConfig())
 	}
 	if err != nil {
 		return err
 	}
 
 	// Update in database
-	if err := s.users.UpdateUser(user); err != nil {
+	if err := s.peers.UpdatePeer(peer); err != nil {
 		return err
 	}
 
 	return s.WriteWireGuardConfigFile()
 }
 
-func (s *Server) DeleteUser(user Peer) error {
+func (s *Server) DeletePeer(peer Peer) error {
 	// Delete WireGuard peer
-	if err := s.wg.RemovePeer(user.PublicKey); err != nil {
+	if err := s.wg.RemovePeer(peer.PublicKey); err != nil {
 		return err
 	}
 
 	// Delete in database
-	if err := s.users.DeleteUser(user); err != nil {
+	if err := s.peers.DeletePeer(peer); err != nil {
 		return err
 	}
 
@@ -167,11 +168,11 @@ func (s *Server) DeleteUser(user Peer) error {
 }
 
 func (s *Server) RestoreWireGuardInterface() error {
-	activeUsers := s.users.GetActiveUsers()
+	activePeers := s.peers.GetActivePeers()
 
-	for i := range activeUsers {
-		if activeUsers[i].Peer == nil {
-			if err := s.wg.AddPeer(activeUsers[i].GetConfig()); err != nil {
+	for i := range activePeers {
+		if activePeers[i].Peer == nil {
+			if err := s.wg.AddPeer(activePeers[i].GetConfig()); err != nil {
 				return err
 			}
 		}
@@ -188,8 +189,8 @@ func (s *Server) WriteWireGuardConfigFile() error {
 		return err
 	}
 
-	device := s.users.GetDevice()
-	cfg, err := device.GetConfigFile(s.users.GetActiveUsers())
+	device := s.peers.GetDevice()
+	cfg, err := device.GetConfigFile(s.peers.GetActivePeers())
 	if err != nil {
 		return err
 	}
diff --git a/internal/server/ldapsync.go b/internal/server/ldapsync.go
index 3d2eac4..9ba75a9 100644
--- a/internal/server/ldapsync.go
+++ b/internal/server/ldapsync.go
@@ -4,31 +4,147 @@ import (
 	"time"
 
 	"github.com/h44z/wg-portal/internal/ldap"
+	"github.com/h44z/wg-portal/internal/users"
 	"github.com/sirupsen/logrus"
+	"gorm.io/gorm"
 )
 
-// SyncLdapAttributesWithWireGuard starts to synchronize the "disabled" attribute from ldap.
-// Users will be automatically disabled once they are disabled in ldap.
-// This method is blocking.
-func (s *Server) SyncLdapAttributesWithWireGuard() error {
-	allUsers := s.users.GetAllUsers()
-	for i := range allUsers {
-		user := allUsers[i]
-		if user.LdapUser == nil {
-			continue // skip non ldap users
+func (s *Server) SyncLdapWithUserDatabase() {
+	logrus.Info("starting ldap user synchronization...")
+	running := true
+	for running {
+		// Select blocks until one of the cases happens
+		select {
+		case <-time.After(1 * time.Minute):
+			// Sleep for 1 minute
+		case <-s.ctx.Done():
+			logrus.Trace("ldap-sync shutting down (context ended)...")
+			running = false
+			continue
 		}
 
-		if user.DeactivatedAt != nil {
-			continue // skip already disabled interfaces
+		// Main work here
+		logrus.Trace("syncing ldap users to database...")
+		ldapUsers, err := ldap.FindAllUsers(&s.config.LDAP)
+		if err != nil {
+			logrus.Errorf("failed to fetch users from ldap: %v", err)
+			continue
 		}
 
-		if ldap.IsLdapUserDisabled(allUsers[i].LdapUser.Attributes["userAccountControl"]) {
-			now := time.Now()
-			user.DeactivatedAt = &now
-			if err := s.UpdateUser(user, now); err != nil {
-				logrus.Errorf("Failed to disable user %s: %v", user.Email, err)
+		for i := range ldapUsers {
+			// prefilter
+			if ldapUsers[i].Attributes[s.config.LDAP.EmailAttribute] == "" ||
+				ldapUsers[i].Attributes[s.config.LDAP.FirstNameAttribute] == "" ||
+				ldapUsers[i].Attributes[s.config.LDAP.LastNameAttribute] == "" {
+				continue
+			}
+
+			user, err := s.users.GetOrCreateUserUnscoped(ldapUsers[i].Attributes[s.config.LDAP.EmailAttribute])
+			if err != nil {
+				logrus.Errorf("failed to get/create user %s in database: %v", ldapUsers[i].Attributes[s.config.LDAP.EmailAttribute], err)
+			}
+
+			// check if user should be deactivated
+			ldapDeactivated := false
+			switch s.config.LDAP.Type {
+			case ldap.TypeActiveDirectory:
+				ldapDeactivated = ldap.IsActiveDirectoryUserDisabled(ldapUsers[i].Attributes[s.config.LDAP.DisabledAttribute])
+			case ldap.TypeOpenLDAP:
+				ldapDeactivated = ldap.IsOpenLdapUserDisabled(ldapUsers[i].Attributes[s.config.LDAP.DisabledAttribute])
+			}
+
+			// check if user has been disabled in ldap, update peers accordingly
+			if ldapDeactivated != user.DeletedAt.Valid {
+				if ldapDeactivated {
+					// disable all peers for the given user
+					for _, peer := range s.peers.GetPeersByMail(user.Email) {
+						now := time.Now()
+						peer.DeactivatedAt = &now
+						if err = s.UpdatePeer(peer, now); err != nil {
+							logrus.Errorf("failed to update deactivated peer %s: %v", peer.PublicKey, err)
+						}
+					}
+				} else {
+					// enable all peers for the given user
+					for _, peer := range s.peers.GetPeersByMail(user.Email) {
+						now := time.Now()
+						peer.DeactivatedAt = nil
+						if err = s.UpdatePeer(peer, now); err != nil {
+							logrus.Errorf("failed to update activated peer %s: %v", peer.PublicKey, err)
+						}
+					}
+				}
+			}
+
+			// Sync attributes from ldap
+			if s.UserChangedInLdap(user, &ldapUsers[i]) {
+				user.Firstname = ldapUsers[i].Attributes[s.config.LDAP.FirstNameAttribute]
+				user.Lastname = ldapUsers[i].Attributes[s.config.LDAP.LastNameAttribute]
+				user.Email = ldapUsers[i].Attributes[s.config.LDAP.EmailAttribute]
+				user.Phone = ldapUsers[i].Attributes[s.config.LDAP.PhoneAttribute]
+				user.IsAdmin = false
+				user.Source = users.UserSourceLdap
+				user.DeletedAt = gorm.DeletedAt{} // Not deleted
+
+				for _, group := range ldapUsers[i].RawAttributes[s.config.LDAP.GroupMemberAttribute] {
+					if string(group) == s.config.LDAP.AdminLdapGroup {
+						user.IsAdmin = true
+						break
+					}
+				}
+
+				if ldapDeactivated {
+					if err = s.users.DeleteUser(user); err != nil {
+						logrus.Errorf("failed to delete deactivated user %s in database: %v", user.Email, err)
+						continue
+					}
+				} else {
+					if err = s.users.UpdateUser(user); err != nil {
+						logrus.Errorf("failed to update ldap user %s in database: %v", user.Email, err)
+						continue
+					}
+				}
 			}
 		}
 	}
-	return nil
+	logrus.Info("ldap user synchronization stopped")
+}
+
+func (s Server) UserChangedInLdap(user *users.User, ldapData *ldap.RawLdapData) bool {
+	if user.Firstname != ldapData.Attributes[s.config.LDAP.FirstNameAttribute] {
+		return true
+	}
+	if user.Lastname != ldapData.Attributes[s.config.LDAP.LastNameAttribute] {
+		return true
+	}
+	if user.Email != ldapData.Attributes[s.config.LDAP.EmailAttribute] {
+		return true
+	}
+	if user.Phone != ldapData.Attributes[s.config.LDAP.PhoneAttribute] {
+		return true
+	}
+
+	ldapDeactivated := false
+	switch s.config.LDAP.Type {
+	case ldap.TypeActiveDirectory:
+		ldapDeactivated = ldap.IsActiveDirectoryUserDisabled(ldapData.Attributes[s.config.LDAP.DisabledAttribute])
+	case ldap.TypeOpenLDAP:
+		ldapDeactivated = ldap.IsOpenLdapUserDisabled(ldapData.Attributes[s.config.LDAP.DisabledAttribute])
+	}
+	if ldapDeactivated != user.DeletedAt.Valid {
+		return true
+	}
+
+	ldapAdmin := false
+	for _, group := range ldapData.RawAttributes[s.config.LDAP.GroupMemberAttribute] {
+		if string(group) == s.config.LDAP.AdminLdapGroup {
+			ldapAdmin = true
+			break
+		}
+	}
+	if user.IsAdmin != ldapAdmin {
+		return true
+	}
+
+	return false
 }
diff --git a/internal/server/usermanager.go b/internal/server/peermanager.go
similarity index 79%
rename from internal/server/usermanager.go
rename to internal/server/peermanager.go
index ec0ed6a..e26785f 100644
--- a/internal/server/usermanager.go
+++ b/internal/server/peermanager.go
@@ -3,11 +3,8 @@ package server
 import (
 	"bytes"
 	"crypto/md5"
-	"errors"
 	"fmt"
 	"net"
-	"os"
-	"path/filepath"
 	"reflect"
 	"regexp"
 	"sort"
@@ -18,12 +15,12 @@ import (
 	"github.com/gin-gonic/gin/binding"
 	"github.com/go-playground/validator/v10"
 	"github.com/h44z/wg-portal/internal/common"
-	"github.com/h44z/wg-portal/internal/ldap"
+	"github.com/h44z/wg-portal/internal/users"
 	"github.com/h44z/wg-portal/internal/wireguard"
+	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
 	"github.com/skip2/go-qrcode"
 	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
-	"gorm.io/driver/sqlite"
 	"gorm.io/gorm"
 )
 
@@ -68,9 +65,9 @@ func init() {
 //
 
 type Peer struct {
-	Peer     *wgtypes.Peer              `gorm:"-"`
-	LdapUser *ldap.UserCacheHolderEntry `gorm:"-"` // optional, it is still possible to have users without ldap
-	Config   string                     `gorm:"-"`
+	Peer   *wgtypes.Peer `gorm:"-"` // WireGuard peer
+	User   *users.User   `gorm:"-"` // user reference for the peer
+	Config string        `gorm:"-"`
 
 	UID               string `form:"uid" binding:"alphanum"` // uid for html identification
 	IsOnline          bool   `gorm:"-"`
@@ -247,7 +244,7 @@ func (d Device) GetConfig() wgtypes.Config {
 	return cfg
 }
 
-func (d Device) GetConfigFile(clients []Peer) ([]byte, error) {
+func (d Device) GetConfigFile(peers []Peer) ([]byte, error) {
 	tpl, err := template.New("server").Funcs(template.FuncMap{"StringsJoin": strings.Join}).Parse(wireguard.DeviceCfgTpl)
 	if err != nil {
 		return nil, err
@@ -259,7 +256,7 @@ func (d Device) GetConfigFile(clients []Peer) ([]byte, error) {
 		Clients []Peer
 		Server  Device
 	}{
-		Clients: clients,
+		Clients: peers,
 		Server:  d,
 	})
 	if err != nil {
@@ -270,78 +267,65 @@ func (d Device) GetConfigFile(clients []Peer) ([]byte, error) {
 }
 
 //
-//  USER-MANAGER --------------------------------------------------------------------------------
+//  PEER-MANAGER --------------------------------------------------------------------------------
 //
 
-type UserManager struct {
-	db        *gorm.DB
-	wg        *wireguard.Manager
-	ldapUsers *ldap.SynchronizedUserCacheHolder
+type PeerManager struct {
+	db    *gorm.DB
+	wg    *wireguard.Manager
+	users *users.Manager
 }
 
-func NewUserManager(dbPath string, wg *wireguard.Manager, ldapUsers *ldap.SynchronizedUserCacheHolder) *UserManager {
-
-	um := &UserManager{wg: wg, ldapUsers: ldapUsers}
+func NewPeerManager(cfg *common.Config, wg *wireguard.Manager, userDB *users.Manager) (*PeerManager, error) {
+	um := &PeerManager{wg: wg, users: userDB}
 	var err error
-	if _, err = os.Stat(filepath.Dir(dbPath)); os.IsNotExist(err) {
-		if err = os.MkdirAll(filepath.Dir(dbPath), 0700); err != nil {
-			logrus.Errorf("failed to create database directory (%s): %v", filepath.Dir(dbPath), err)
-			return nil
-		}
-	}
-	um.db, err = gorm.Open(sqlite.Open(dbPath), &gorm.Config{})
+	um.db, err = users.GetDatabaseForConfig(&cfg.Database)
 	if err != nil {
-		logrus.Errorf("failed to open sqlite database (%s): %v", dbPath, err)
-		return nil
+		return nil, errors.WithMessage(err, "failed to open peer database")
 	}
 
 	err = um.db.AutoMigrate(&Peer{}, &Device{})
 	if err != nil {
-		logrus.Errorf("failed to migrate sqlite database: %v", err)
-		return nil
+		return nil, errors.WithMessage(err, "failed to migrate peer database")
 	}
 
-	return um
+	return um, nil
 }
 
-func (u *UserManager) InitFromCurrentInterface() error {
+func (u *PeerManager) InitFromCurrentInterface() error {
 	peers, err := u.wg.GetPeerList()
 	if err != nil {
-		logrus.Errorf("failed to init user-manager from peers: %v", err)
-		return err
+		return errors.Wrapf(err, "failed to get peer list")
 	}
 	device, err := u.wg.GetDeviceInfo()
 	if err != nil {
-		logrus.Errorf("failed to init user-manager from device: %v", err)
-		return err
+		return errors.Wrapf(err, "failed to get device info")
 	}
 	var ipAddresses []string
 	var mtu int
 	if u.wg.Cfg.ManageIPAddresses {
 		if ipAddresses, err = u.wg.GetIPAddress(); err != nil {
-			logrus.Errorf("failed to init user-manager from device: %v", err)
-			return err
+			return errors.Wrapf(err, "failed to get ip address")
 		}
 		if mtu, err = u.wg.GetMTU(); err != nil {
-			logrus.Errorf("failed to init user-manager from device: %v", err)
-			return err
+			return errors.Wrapf(err, "failed to get MTU")
 		}
 	}
 
 	// Check if entries already exist in database, if not create them
 	for _, peer := range peers {
-		if err := u.validateOrCreateUserForPeer(peer); err != nil {
-			return err
+		if err := u.validateOrCreatePeer(peer); err != nil {
+			return errors.WithMessagef(err, "failed to validate peer %s", peer.PublicKey)
 		}
 	}
 	if err := u.validateOrCreateDevice(*device, ipAddresses, mtu); err != nil {
-		return err
+		return errors.WithMessagef(err, "failed to validate device %s", device.Name)
 	}
 
 	return nil
 }
 
-func (u *UserManager) validateOrCreateUserForPeer(wgPeer wgtypes.Peer) error {
+func (u *PeerManager) validateOrCreatePeer(wgPeer wgtypes.Peer) error {
 	peer := Peer{}
 	u.db.Where("public_key = ?", wgPeer.PublicKey.String()).FirstOrInit(&peer)
 
@@ -366,15 +350,14 @@ func (u *UserManager) validateOrCreateUserForPeer(wgPeer wgtypes.Peer) error {
 
 		res := u.db.Create(&peer)
 		if res.Error != nil {
-			logrus.Errorf("failed to create autodetected wgPeer: %v", res.Error)
-			return res.Error
+			return errors.Wrapf(res.Error, "failed to create autodetected peer %s", peer.PublicKey)
 		}
 	}
 
 	return nil
 }
 
-func (u *UserManager) validateOrCreateDevice(dev wgtypes.Device, ipAddresses []string, mtu int) error {
+func (u *PeerManager) validateOrCreateDevice(dev wgtypes.Device, ipAddresses []string, mtu int) error {
 	device := Device{}
 	u.db.Where("device_name = ?", dev.Name).FirstOrInit(&device)
 
@@ -393,47 +376,46 @@ func (u *UserManager) validateOrCreateDevice(dev wgtypes.Device, ipAddresses []s
 
 		res := u.db.Create(&device)
 		if res.Error != nil {
-			logrus.Errorf("failed to create autodetected device: %v", res.Error)
-			return res.Error
+			return errors.Wrapf(res.Error, "failed to create autodetected device")
 		}
 	}
 
 	return nil
 }
 
-func (u *UserManager) populateUserData(user *Peer) {
-	user.AllowedIPs = strings.Split(user.AllowedIPsStr, ", ")
-	user.IPs = strings.Split(user.IPsStr, ", ")
+func (u *PeerManager) populatePeerData(peer *Peer) {
+	peer.AllowedIPs = strings.Split(peer.AllowedIPsStr, ", ")
+	peer.IPs = strings.Split(peer.IPsStr, ", ")
 	// Set config file
-	tmpCfg, _ := user.GetConfigFile(u.GetDevice())
-	user.Config = string(tmpCfg)
+	tmpCfg, _ := peer.GetConfigFile(u.GetDevice())
+	peer.Config = string(tmpCfg)
 
 	// set data from WireGuard interface
-	user.Peer, _ = u.wg.GetPeer(user.PublicKey)
-	user.LastHandshake = "never"
-	user.LastHandshakeTime = "Never connected, or user is disabled."
-	if user.Peer != nil {
-		since := time.Since(user.Peer.LastHandshakeTime)
+	peer.Peer, _ = u.wg.GetPeer(peer.PublicKey)
+	peer.LastHandshake = "never"
+	peer.LastHandshakeTime = "Never connected, or user is disabled."
+	if peer.Peer != nil {
+		since := time.Since(peer.Peer.LastHandshakeTime)
 		sinceSeconds := int(since.Round(time.Second).Seconds())
 		sinceMinutes := int(sinceSeconds / 60)
 		sinceSeconds -= sinceMinutes * 60
 
 		if sinceMinutes > 2*10080 { // 2 weeks
-			user.LastHandshake = "a while ago"
+			peer.LastHandshake = "a while ago"
 		} else if sinceMinutes > 10080 { // 1 week
-			user.LastHandshake = "a week ago"
+			peer.LastHandshake = "a week ago"
 		} else {
-			user.LastHandshake = fmt.Sprintf("%02dm %02ds", sinceMinutes, sinceSeconds)
+			peer.LastHandshake = fmt.Sprintf("%02dm %02ds", sinceMinutes, sinceSeconds)
 		}
-		user.LastHandshakeTime = user.Peer.LastHandshakeTime.Format(time.UnixDate)
+		peer.LastHandshakeTime = peer.Peer.LastHandshakeTime.Format(time.UnixDate)
 	}
-	user.IsOnline = false // todo: calculate online status
+	peer.IsOnline = false
 
-	// set ldap data
-	user.LdapUser = u.ldapUsers.GetUserData(u.ldapUsers.GetUserDNByMail(user.Email))
+	// set user data
+	peer.User = u.users.GetUser(peer.Email)
 }
 
-func (u *UserManager) populateDeviceData(device *Device) {
+func (u *PeerManager) populateDeviceData(device *Device) {
 	device.AllowedIPs = strings.Split(device.AllowedIPsStr, ", ")
 	device.IPs = strings.Split(device.IPsStr, ", ")
 	device.DNS = strings.Split(device.DNSStr, ", ")
@@ -442,35 +424,35 @@ func (u *UserManager) populateDeviceData(device *Device) {
 	device.Interface, _ = u.wg.GetDeviceInfo()
 }
 
-func (u *UserManager) GetAllUsers() []Peer {
+func (u *PeerManager) GetAllPeers() []Peer {
 	peers := make([]Peer, 0)
 	u.db.Find(&peers)
 
 	for i := range peers {
-		u.populateUserData(&peers[i])
+		u.populatePeerData(&peers[i])
 	}
 
 	return peers
 }
 
-func (u *UserManager) GetActiveUsers() []Peer {
+func (u *PeerManager) GetActivePeers() []Peer {
 	peers := make([]Peer, 0)
 	u.db.Where("deactivated_at IS NULL").Find(&peers)
 
 	for i := range peers {
-		u.populateUserData(&peers[i])
+		u.populatePeerData(&peers[i])
 	}
 
 	return peers
 }
 
-func (u *UserManager) GetFilteredAndSortedUsers(sortKey, sortDirection, search string) []Peer {
+func (u *PeerManager) GetFilteredAndSortedPeers(sortKey, sortDirection, search string) []Peer {
 	peers := make([]Peer, 0)
 	u.db.Find(&peers)
 
 	filteredPeers := make([]Peer, 0, len(peers))
 	for i := range peers {
-		u.populateUserData(&peers[i])
+		u.populatePeerData(&peers[i])
 
 		if search == "" ||
 			strings.Contains(peers[i].Email, search) ||
@@ -517,12 +499,12 @@ func (u *UserManager) GetFilteredAndSortedUsers(sortKey, sortDirection, search s
 	return filteredPeers
 }
 
-func (u *UserManager) GetSortedUsersForEmail(sortKey, sortDirection, email string) []Peer {
+func (u *PeerManager) GetSortedPeersForEmail(sortKey, sortDirection, email string) []Peer {
 	peers := make([]Peer, 0)
 	u.db.Where("email = ?", email).Find(&peers)
 
 	for i := range peers {
-		u.populateUserData(&peers[i])
+		u.populatePeerData(&peers[i])
 	}
 
 	sort.Slice(peers, func(i, j int) bool {
@@ -562,7 +544,7 @@ func (u *UserManager) GetSortedUsersForEmail(sortKey, sortDirection, email strin
 	return peers
 }
 
-func (u *UserManager) GetDevice() Device {
+func (u *PeerManager) GetDevice() Device {
 	devices := make([]Device, 0, 1)
 	u.db.Find(&devices)
 
@@ -573,24 +555,24 @@ func (u *UserManager) GetDevice() Device {
 	return devices[0] // use first device for now... more to come?
 }
 
-func (u *UserManager) GetUserByKey(publicKey string) Peer {
+func (u *PeerManager) GetPeerByKey(publicKey string) Peer {
 	peer := Peer{}
 	u.db.Where("public_key = ?", publicKey).FirstOrInit(&peer)
-	u.populateUserData(&peer)
+	u.populatePeerData(&peer)
 	return peer
 }
 
-func (u *UserManager) GetUsersByMail(mail string) []Peer {
+func (u *PeerManager) GetPeersByMail(mail string) []Peer {
 	var peers []Peer
 	u.db.Where("email = ?", mail).Find(&peers)
 	for i := range peers {
-		u.populateUserData(&peers[i])
+		u.populatePeerData(&peers[i])
 	}
 
 	return peers
 }
 
-func (u *UserManager) CreateUser(peer Peer) error {
+func (u *PeerManager) CreatePeer(peer Peer) error {
 	peer.UID = fmt.Sprintf("u%x", md5.Sum([]byte(peer.PublicKey)))
 	peer.UpdatedAt = time.Now()
 	peer.CreatedAt = time.Now()
@@ -606,7 +588,7 @@ func (u *UserManager) CreateUser(peer Peer) error {
 	return nil
 }
 
-func (u *UserManager) UpdateUser(peer Peer) error {
+func (u *PeerManager) UpdatePeer(peer Peer) error {
 	peer.UpdatedAt = time.Now()
 	peer.AllowedIPsStr = strings.Join(peer.AllowedIPs, ", ")
 	peer.IPsStr = strings.Join(peer.IPs, ", ")
@@ -620,7 +602,7 @@ func (u *UserManager) UpdateUser(peer Peer) error {
 	return nil
 }
 
-func (u *UserManager) DeleteUser(peer Peer) error {
+func (u *PeerManager) DeletePeer(peer Peer) error {
 	res := u.db.Delete(&peer)
 	if res.Error != nil {
 		logrus.Errorf("failed to delete peer: %v", res.Error)
@@ -630,7 +612,7 @@ func (u *UserManager) DeleteUser(peer Peer) error {
 	return nil
 }
 
-func (u *UserManager) UpdateDevice(device Device) error {
+func (u *PeerManager) UpdateDevice(device Device) error {
 	device.UpdatedAt = time.Now()
 	device.AllowedIPsStr = strings.Join(device.AllowedIPs, ", ")
 	device.IPsStr = strings.Join(device.IPs, ", ")
@@ -645,10 +627,10 @@ func (u *UserManager) UpdateDevice(device Device) error {
 	return nil
 }
 
-func (u *UserManager) GetAllReservedIps() ([]string, error) {
+func (u *PeerManager) GetAllReservedIps() ([]string, error) {
 	reservedIps := make([]string, 0)
-	users := u.GetAllUsers()
-	for _, user := range users {
+	peers := u.GetAllPeers()
+	for _, user := range peers {
 		for _, cidr := range user.IPs {
 			if cidr == "" {
 				continue
@@ -677,7 +659,7 @@ func (u *UserManager) GetAllReservedIps() ([]string, error) {
 	return reservedIps, nil
 }
 
-func (u *UserManager) IsIPReserved(cidr string) bool {
+func (u *PeerManager) IsIPReserved(cidr string) bool {
 	reserved, err := u.GetAllReservedIps()
 	if err != nil {
 		return true // in case something failed, assume the ip is reserved
@@ -706,7 +688,7 @@ func (u *UserManager) IsIPReserved(cidr string) bool {
 }
 
 // GetAvailableIp search for an available ip in cidr against a list of reserved ips
-func (u *UserManager) GetAvailableIp(cidr string) (string, error) {
+func (u *PeerManager) GetAvailableIp(cidr string) (string, error) {
 	reserved, err := u.GetAllReservedIps()
 	if err != nil {
 		return "", err
diff --git a/internal/server/routes.go b/internal/server/routes.go
index 8b90f60..e1d3a47 100644
--- a/internal/server/routes.go
+++ b/internal/server/routes.go
@@ -4,11 +4,20 @@ import (
 	"net/http"
 
 	"github.com/gin-gonic/gin"
+	wg_portal "github.com/h44z/wg-portal"
 )
 
 func SetupRoutes(s *Server) {
 	// Startpage
 	s.server.GET("/", s.GetIndex)
+	s.server.GET("/favicon.ico", func(c *gin.Context) {
+		file, _ := wg_portal.Statics.ReadFile("assets/img/favicon.ico")
+		c.Data(
+			http.StatusOK,
+			"image/x-icon",
+			file,
+		)
+	})
 
 	// Auth routes
 	auth := s.server.Group("/auth")
@@ -18,7 +27,7 @@ func SetupRoutes(s *Server) {
 
 	// Admin routes
 	admin := s.server.Group("/admin")
-	admin.Use(s.RequireAuthentication(s.config.AdminLdapGroup))
+	admin.Use(s.RequireAuthentication("admin"))
 	admin.GET("/", s.GetAdminIndex)
 	admin.GET("/device/edit", s.GetAdminEditInterface)
 	admin.POST("/device/edit", s.PostAdminEditInterface)
@@ -34,6 +43,12 @@ func SetupRoutes(s *Server) {
 	admin.GET("/peer/download", s.GetPeerConfig)
 	admin.GET("/peer/email", s.GetPeerConfigMail)
 
+	admin.GET("/users/", s.GetAdminUsersIndex)
+	admin.GET("/users/create", s.GetAdminUsersCreate)
+	admin.POST("/users/create", s.PostAdminUsersCreate)
+	admin.GET("/users/edit", s.GetAdminUsersEdit)
+	admin.POST("/users/edit", s.PostAdminUsersEdit)
+
 	// User routes
 	user := s.server.Group("/user")
 	user.Use(s.RequireAuthentication("")) // empty scope = all logged in users
@@ -46,7 +61,7 @@ func SetupRoutes(s *Server) {
 
 func (s *Server) RequireAuthentication(scope string) gin.HandlerFunc {
 	return func(c *gin.Context) {
-		session := s.getSessionData(c)
+		session := GetSessionData(c)
 
 		if !session.LoggedIn {
 			// Abort the request with the appropriate error code
@@ -55,8 +70,15 @@ func (s *Server) RequireAuthentication(scope string) gin.HandlerFunc {
 			return
 		}
 
-		if scope != "" && !session.IsAdmin && // admins always have access
-			!s.ldapUsers.IsInGroup(session.UserName, scope) {
+		if scope == "admin" && !session.IsAdmin {
+			// Abort the request with the appropriate error code
+			c.Abort()
+			s.GetHandleError(c, http.StatusUnauthorized, "unauthorized", "not enough permissions")
+			return
+		}
+
+		// default case if some randome scope was set...
+		if scope != "" && !session.IsAdmin {
 			// Abort the request with the appropriate error code
 			c.Abort()
 			s.GetHandleError(c, http.StatusUnauthorized, "unauthorized", "not enough permissions")
diff --git a/internal/users/config.go b/internal/users/config.go
new file mode 100644
index 0000000..98e8954
--- /dev/null
+++ b/internal/users/config.go
@@ -0,0 +1,17 @@
+package users
+
+type SupportedDatabase string
+
+const (
+	SupportedDatabaseMySQL  SupportedDatabase = "mysql"
+	SupportedDatabaseSQLite SupportedDatabase = "sqlite"
+)
+
+type Config struct {
+	Typ      SupportedDatabase `yaml:"typ" envconfig:"DATABASE_TYPE"` //mysql or sqlite
+	Host     string            `yaml:"host" envconfig:"DATABASE_HOST"`
+	Port     int               `yaml:"port" envconfig:"DATABASE_PORT"`
+	Database string            `yaml:"database" envconfig:"DATABASE_NAME"` // On SQLite: the database file-path, otherwise the database name
+	User     string            `yaml:"user" envconfig:"DATABASE_USERNAME"`
+	Password string            `yaml:"password" envconfig:"DATABASE_PASSWORD"`
+}
diff --git a/internal/users/manager.go b/internal/users/manager.go
new file mode 100644
index 0000000..c01a35e
--- /dev/null
+++ b/internal/users/manager.go
@@ -0,0 +1,263 @@
+package users
+
+import (
+	"fmt"
+	"os"
+	"path/filepath"
+	"sort"
+	"strconv"
+	"strings"
+	"time"
+
+	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
+	"gorm.io/driver/mysql"
+	"gorm.io/driver/sqlite"
+	"gorm.io/gorm"
+	"gorm.io/gorm/logger"
+)
+
+func GetDatabaseForConfig(cfg *Config) (db *gorm.DB, err error) {
+	switch cfg.Typ {
+	case SupportedDatabaseSQLite:
+		if _, err = os.Stat(filepath.Dir(cfg.Database)); os.IsNotExist(err) {
+			if err = os.MkdirAll(filepath.Dir(cfg.Database), 0700); err != nil {
+				return
+			}
+		}
+		db, err = gorm.Open(sqlite.Open(cfg.Database), &gorm.Config{})
+		if err != nil {
+			return
+		}
+	case SupportedDatabaseMySQL:
+		connectionString := fmt.Sprintf("%s:%s@tcp(%s:%d)/%s?charset=utf8mb4&parseTime=True&loc=Local", cfg.User, cfg.Password, cfg.Host, cfg.Port, cfg.Database)
+		db, err = gorm.Open(mysql.Open(connectionString), &gorm.Config{})
+		if err != nil {
+			return
+		}
+
+		sqlDB, _ := db.DB()
+		sqlDB.SetConnMaxLifetime(time.Minute * 5)
+		sqlDB.SetMaxIdleConns(2)
+		sqlDB.SetMaxOpenConns(10)
+		err = sqlDB.Ping() // This DOES open a connection if necessary. This makes sure the database is accessible
+		if err != nil {
+			return nil, errors.Wrap(err, "failed to ping mysql authentication database")
+		}
+	}
+
+	// Enable Logger (logrus)
+	logCfg := logger.Config{
+		SlowThreshold: time.Second, // all slower than one second
+		Colorful:      false,
+		LogLevel:      logger.Silent, // default: log nothing
+	}
+
+	if logrus.StandardLogger().GetLevel() == logrus.TraceLevel {
+		logCfg.LogLevel = logger.Info
+		logCfg.SlowThreshold = 500 * time.Millisecond // all slower than half a second
+	}
+
+	db.Config.Logger = logger.New(logrus.StandardLogger(), logCfg)
+	return
+}
+
+type Manager struct {
+	db *gorm.DB
+}
+
+func NewManager(cfg *Config) (*Manager, error) {
+	m := &Manager{}
+
+	var err error
+	m.db, err = GetDatabaseForConfig(cfg)
+	if err != nil {
+		return nil, errors.Wrapf(err, "failed to setup user database %s", cfg.Database)
+	}
+
+	return m, m.MigrateUserDB()
+}
+
+func (m Manager) MigrateUserDB() error {
+	if err := m.db.AutoMigrate(&User{}); err != nil {
+		return errors.Wrap(err, "failed to migrate user database")
+	}
+	return nil
+}
+
+func (m Manager) GetUsers() []User {
+	users := make([]User, 0)
+	m.db.Find(&users)
+	return users
+}
+
+func (m Manager) GetUsersUnscoped() []User {
+	users := make([]User, 0)
+	m.db.Unscoped().Find(&users)
+	return users
+}
+
+func (m Manager) UserExists(email string) bool {
+	return m.GetUser(email) != nil
+}
+
+func (m Manager) GetUser(email string) *User {
+	user := User{}
+	m.db.Where("email = ?", email).First(&user)
+
+	if user.Email != email {
+		return nil
+	}
+
+	return &user
+}
+
+func (m Manager) GetUserUnscoped(email string) *User {
+	user := User{}
+	m.db.Unscoped().Where("email = ?", email).First(&user)
+
+	if user.Email != email {
+		return nil
+	}
+
+	return &user
+}
+
+func (m Manager) GetFilteredAndSortedUsers(sortKey, sortDirection, search string) []User {
+	users := make([]User, 0)
+	m.db.Find(&users)
+
+	filteredUsers := filterUsers(users, search)
+	sortUsers(filteredUsers, sortKey, sortDirection)
+
+	return filteredUsers
+}
+
+func (m Manager) GetFilteredAndSortedUsersUnscoped(sortKey, sortDirection, search string) []User {
+	users := make([]User, 0)
+	m.db.Unscoped().Find(&users)
+
+	filteredUsers := filterUsers(users, search)
+	sortUsers(filteredUsers, sortKey, sortDirection)
+
+	return filteredUsers
+}
+
+func (m Manager) GetOrCreateUser(email string) (*User, error) {
+	user := User{}
+	m.db.Where("email = ?", email).FirstOrInit(&user)
+
+	if user.Email != email {
+		user.Email = email
+		user.CreatedAt = time.Now()
+		user.UpdatedAt = time.Now()
+		user.IsAdmin = false
+		user.Source = UserSourceDatabase
+
+		res := m.db.Create(&user)
+		if res.Error != nil {
+			return nil, errors.Wrapf(res.Error, "failed to create user %s", email)
+		}
+	}
+
+	return &user, nil
+}
+
+func (m Manager) GetOrCreateUserUnscoped(email string) (*User, error) {
+	user := User{}
+	m.db.Unscoped().Where("email = ?", email).FirstOrInit(&user)
+
+	if user.Email != email {
+		user.Email = email
+		user.CreatedAt = time.Now()
+		user.UpdatedAt = time.Now()
+		user.IsAdmin = false
+		user.Source = UserSourceDatabase
+
+		res := m.db.Create(&user)
+		if res.Error != nil {
+			return nil, errors.Wrapf(res.Error, "failed to create user %s", email)
+		}
+	}
+
+	return &user, nil
+}
+
+func (m Manager) CreateUser(user *User) error {
+	res := m.db.Create(user)
+	if res.Error != nil {
+		return errors.Wrapf(res.Error, "failed to create user %s", user.Email)
+	}
+
+	return nil
+}
+
+func (m Manager) UpdateUser(user *User) error {
+	res := m.db.Save(user)
+	if res.Error != nil {
+		return errors.Wrapf(res.Error, "failed to update user %s", user.Email)
+	}
+
+	return nil
+}
+
+func (m Manager) DeleteUser(user *User) error {
+	res := m.db.Delete(user)
+	if res.Error != nil {
+		return errors.Wrapf(res.Error, "failed to update user %s", user.Email)
+	}
+
+	return nil
+}
+
+func sortUsers(users []User, key, direction string) {
+	sort.Slice(users, func(i, j int) bool {
+		var sortValueLeft string
+		var sortValueRight string
+
+		switch key {
+		case "email":
+			sortValueLeft = users[i].Email
+			sortValueRight = users[j].Email
+		case "firstname":
+			sortValueLeft = users[i].Firstname
+			sortValueRight = users[j].Firstname
+		case "lastname":
+			sortValueLeft = users[i].Lastname
+			sortValueRight = users[j].Lastname
+		case "phone":
+			sortValueLeft = users[i].Phone
+			sortValueRight = users[j].Phone
+		case "source":
+			sortValueLeft = string(users[i].Source)
+			sortValueRight = string(users[j].Source)
+		case "admin":
+			sortValueLeft = strconv.FormatBool(users[i].IsAdmin)
+			sortValueRight = strconv.FormatBool(users[j].IsAdmin)
+		}
+
+		if direction == "asc" {
+			return sortValueLeft < sortValueRight
+		} else {
+			return sortValueLeft > sortValueRight
+		}
+	})
+}
+
+func filterUsers(users []User, search string) []User {
+	if search == "" {
+		return users
+	}
+
+	filteredUsers := make([]User, 0, len(users))
+	for i := range users {
+		if strings.Contains(users[i].Email, search) ||
+			strings.Contains(users[i].Firstname, search) ||
+			strings.Contains(users[i].Lastname, search) ||
+			strings.Contains(string(users[i].Source), search) ||
+			strings.Contains(users[i].Phone, search) {
+			filteredUsers = append(filteredUsers, users[i])
+		}
+	}
+	return filteredUsers
+}
diff --git a/internal/users/user.go b/internal/users/user.go
new file mode 100644
index 0000000..39a5851
--- /dev/null
+++ b/internal/users/user.go
@@ -0,0 +1,36 @@
+package users
+
+import (
+	"time"
+
+	"gorm.io/gorm"
+)
+
+type UserSource string
+
+const (
+	UserSourceLdap     UserSource = "ldap" // LDAP / ActiveDirectory
+	UserSourceDatabase UserSource = "db"   // sqlite / mysql database
+	UserSourceOIDC     UserSource = "oidc" // open id connect, TODO: implement
+)
+
+// User is the user model that gets linked to peer entries, by default an empty usermodel with only the email address is created
+type User struct {
+	// required fields
+	Email   string `gorm:"primaryKey" form:"email" binding:"required,email"`
+	Source  UserSource
+	IsAdmin bool
+
+	// optional fields
+	Firstname string `form:"firstname" binding:"required"`
+	Lastname  string `form:"lastname" binding:"required"`
+	Phone     string `form:"phone" binding:"omitempty"`
+
+	// optional, integrated password authentication
+	Password string `form:"password" binding:"omitempty"`
+
+	// database internal fields
+	CreatedAt time.Time
+	UpdatedAt time.Time
+	DeletedAt gorm.DeletedAt `gorm:"index"`
+}