diff --git a/.drone.yml b/.drone.yml
index c06a9dd..99bdb86 100644
--- a/.drone.yml
+++ b/.drone.yml
@@ -15,6 +15,16 @@ steps:
     - pip install -r requirements.txt
     - pip install -r dev-requirements.txt
     - cd ceo_common/krb5 && python krb5_build.py && cd ../..
+
     # lint
     - flake8
-    # add more!
+
+    # unit + integration tests
+    - .drone/phosphoric-acid-setup.sh
+    - pytest -v
+
+services:
+  - name: auth1
+    image: debian:buster
+    commands:
+      - .drone/auth1-setup.sh
diff --git a/.drone/auth1-setup.sh b/.drone/auth1-setup.sh
new file mode 100755
index 0000000..79721ac
--- /dev/null
+++ b/.drone/auth1-setup.sh
@@ -0,0 +1,83 @@
+#!/bin/bash
+
+set -ex
+
+add_fqdn_to_hosts() {
+    hostname=$1
+    ip_addr=$(getent hosts $hostname | cut -d' ' -f1)
+    sed -E "/${ip_addr}.*\\b${hostname}\\b/d" /etc/hosts > /tmp/hosts
+    cat /tmp/hosts > /etc/hosts
+    rm /tmp/hosts
+    echo "$ip_addr $hostname.csclub.internal $hostname" >> /etc/hosts
+}
+
+# set FQDN in /etc/hosts
+add_fqdn_to_hosts auth1
+
+export DEBIAN_FRONTEND=noninteractive
+apt update
+apt install -y psmisc
+
+# LDAP
+apt install -y --no-install-recommends slapd ldap-utils libnss-ldapd sudo-ldap
+# `service slapd stop` doesn't seem to work
+killall slapd || true
+service nslcd stop || true
+rm -rf /etc/ldap/slapd.d
+rm /var/lib/ldap/*
+cp /usr/share/slapd/DB_CONFIG /var/lib/ldap/DB_CONFIG
+cp .drone/slapd.conf /etc/ldap/slapd.conf
+cp .drone/ldap.conf /etc/ldap/ldap.conf
+cp /usr/share/doc/sudo-ldap/schema.OpenLDAP /etc/ldap/schema/sudo.schema
+cp .drone/rfc2307bis.schema /etc/ldap/schema/
+cp .drone/csc.schema /etc/ldap/schema/
+chown -R openldap:openldap /etc/ldap/schema/ /var/lib/ldap/ /etc/ldap/
+sleep 0.5 && service slapd start
+grep -Eq '^map group member uniqueMember$' /etc/nslcd.conf || \
+     echo 'map group member uniqueMember' >> /etc/nslcd.conf
+sed -E -i 's/^uri .*$/uri ldap:\/\/auth1.csclub.internal/' /etc/nslcd.conf
+sed -E -i 's/^base .*$/base dc=csclub,dc=internal/' /etc/nslcd.conf
+cp .drone/nsswitch.conf /etc/nsswitch.conf
+service nslcd start
+ldapadd -c -f .drone/data.ldif -Y EXTERNAL -H ldapi:///
+
+# KERBEROS
+apt install -y krb5-admin-server krb5-user libpam-krb5 libsasl2-modules-gssapi-mit sasl2-bin
+service krb5-admin-server stop || true
+service krb5-kdc stop || true
+service saslauthd stop || true
+cp .drone/krb5.conf /etc/krb5.conf
+cp .drone/kdc.conf /etc/krb5kdc.conf
+echo '*/admin *' > /etc/krb5kdc/kadm5.acl
+rm -f /var/lib/krb5kdc/*
+echo -e 'krb5\nkrb5' | krb5_newrealm
+service krb5-kdc start
+service krb5-admin-server start
+rm -f /etc/krb5.keytab
+cat <<EOF | kadmin.local
+addpol -minlength 4 default
+addprinc -pw krb5 sysadmin/admin
+addprinc -pw krb5 ctdalek
+addprinc -pw krb5 regular1
+addprinc -randkey host/auth1.csclub.internal
+addprinc -randkey ldap/auth1.csclub.internal
+ktadd host/auth1.csclub.internal
+ktadd ldap/auth1.csclub.internal
+EOF
+groupadd keytab || true
+chgrp keytab /etc/krb5.keytab
+chmod 640 /etc/krb5.keytab
+usermod -a -G keytab openldap
+usermod -a -G sasl openldap
+cat <<EOF > /usr/lib/sasl2/slapd.conf
+mech_list: plain login gssapi external
+pwcheck_method: saslauthd
+EOF
+sed -E -i 's/^START=.*$/START=yes/' /etc/default/saslauthd
+sed -E -i 's/^MECHANISMS=.*$/MECHANISMS="kerberos5"/' /etc/default/saslauthd
+service saslauthd start
+killall slapd && sleep 0.5 && service slapd start
+
+# sync with phosphoric-acid
+apt install -y netcat-openbsd
+nc -l 0.0.0.0 9000
diff --git a/.drone/csc.schema b/.drone/csc.schema
new file mode 100644
index 0000000..e104398
--- /dev/null
+++ b/.drone/csc.schema
@@ -0,0 +1,35 @@
+# CSC Member Information Schema
+
+attributetype ( 1.3.6.1.4.1.27934.1.1.1 NAME 'term'
+    EQUALITY caseIgnoreIA5Match
+    SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{5} )
+
+attributetype ( 1.3.6.1.4.1.27934.1.1.2 NAME 'program'
+    EQUALITY caseIgnoreIA5Match
+    SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{1024} SINGLE-VALUE )
+
+attributetype ( 1.3.6.1.4.1.27934.1.1.3 NAME 'studentid'
+    EQUALITY caseIgnoreIA5Match
+    SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{8} SINGLE-VALUE )
+
+attributetype ( 1.3.6.1.4.1.27934.1.1.4 NAME 'position'
+    EQUALITY caseIgnoreIA5Match
+    SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{32} )
+
+attributetype ( 1.3.6.1.4.1.27934.1.1.5 NAME 'nonMemberTerm'
+    EQUALITY caseIgnoreIA5Match
+    SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{5} )
+
+objectclass ( 1.3.6.1.4.1.27934.1.2.1 NAME 'member'
+    SUP top AUXILIARY
+    MUST ( cn $ uid )
+    MAY ( studentid $ program $ term $ nonMemberTerm $ description $ position ) )
+
+objectclass ( 1.3.6.1.4.1.27934.1.2.2 NAME 'club'
+    SUP top AUXILIARY
+    MUST ( cn $ uid ) )
+
+objectclass ( 1.3.6.1.4.1.27934.1.2.3 NAME 'group'
+    SUP top STRUCTURAL
+    MUST ( cn )
+    MAY ( uniqueMember ) )
diff --git a/.drone/data.ldif b/.drone/data.ldif
new file mode 100644
index 0000000..8b57ee7
--- /dev/null
+++ b/.drone/data.ldif
@@ -0,0 +1,125 @@
+dn: dc=csclub,dc=internal
+objectClass: top
+objectClass: dcObject
+objectClass: organization
+dc: csclub
+o: Computer Science Club
+
+dn: ou=People,dc=csclub,dc=internal
+objectClass: organizationalUnit
+ou: People
+
+dn: ou=Group,dc=csclub,dc=internal
+objectClass: organizationalUnit
+ou: Group
+
+dn: ou=SUDOers,dc=csclub,dc=internal
+objectClass: top
+objectClass: organizationalUnit
+ou: SUDOers
+
+dn: cn=defaults,ou=SUDOers,dc=csclub,dc=internal
+objectClass: top
+objectClass: sudoRole
+cn: defaults
+sudoOption: !insults
+sudoOption: !lecture
+sudoOption: env_reset
+sudoOption: listpw=never
+sudoOption: shell_noargs
+sudoOption: !mail_badpass
+
+dn: cn=syscom,ou=Group,dc=csclub,dc=internal
+objectClass: top
+objectClass: group
+objectClass: posixGroup
+cn: syscom
+gidNumber: 10001
+uniqueMember: uid=ctdalek,ou=People,dc=csclub,dc=internal
+
+dn: cn=%syscom,ou=SUDOers,dc=csclub,dc=internal
+objectClass: top
+objectClass: sudoRole
+cn: %syscom
+sudoUser: %syscom
+sudoHost: ALL
+sudoCommand: ALL
+sudoRunAsUser: ALL
+
+dn: cn=adm,ou=Group,dc=csclub,dc=internal
+objectClass: top
+objectClass: group
+objectClass: posixGroup
+gidNumber: 4
+cn: adm
+uniqueMember: uid=ctdalek,ou=People,dc=csclub,dc=internal
+
+dn: cn=office,ou=Group,dc=csclub,dc=internal
+objectClass: top
+objectClass: group
+objectClass: posixGroup
+gidNumber: 10003
+cn: office
+uniqueMember: uid=ctdalek,ou=People,dc=csclub,dc=internal
+
+dn: cn=src,ou=Group,dc=csclub,dc=internal
+objectClass: top
+objectClass: group
+objectClass: posixGroup
+gidNumber: 40
+cn: src
+uniqueMember: uid=ctdalek,ou=People,dc=csclub,dc=internal
+
+dn: cn=staff,ou=Group,dc=csclub,dc=internal
+objectClass: top
+objectClass: group
+objectClass: posixGroup
+gidNumber: 50
+cn: staff
+uniqueMember: uid=ctdalek,ou=People,dc=csclub,dc=internal
+
+dn: uid=ctdalek,ou=People,dc=csclub,dc=internal
+cn: Calum Dalek
+userPassword: {SASL}ctdalek@CSCLUB.INTERNAL
+loginShell: /bin/bash
+homeDirectory: /users/ctdalek
+uid: ctdalek
+uidNumber: 20001
+gidNumber: 20001
+objectClass: top
+objectClass: account
+objectClass: posixAccount
+objectClass: shadowAccount
+objectClass: member
+program: MAT/Mathematics Computer Science
+term: s2021
+
+dn: cn=ctdalek,ou=Group,dc=csclub,dc=internal
+objectClass: top
+objectClass: group
+objectClass: posixGroup
+cn: ctdalek
+gidNumber: 20001
+
+dn: uid=regular1,ou=People,dc=csclub,dc=internal
+cn: Regular One
+userPassword: {SASL}regular1@CSCLUB.INTERNAL
+loginShell: /bin/bash
+homeDirectory: /users/regular1
+uid: regular1
+uidNumber: 20002
+gidNumber: 20002
+objectClass: top
+objectClass: account
+objectClass: posixAccount
+objectClass: shadowAccount
+objectClass: member
+program: MAT/Mathematics Computer Science
+term: s2021
+
+dn: cn=regular1,ou=Group,dc=csclub,dc=internal
+objectClass: top
+objectClass: group
+objectClass: posixGroup
+cn: regular1
+gidNumber: 20002
diff --git a/.drone/kdc.conf b/.drone/kdc.conf
new file mode 100644
index 0000000..f7f2e25
--- /dev/null
+++ b/.drone/kdc.conf
@@ -0,0 +1,19 @@
+[kdcdefaults]
+    kdc_ports = 88
+
+[realms]
+    CSCLUB.INTERNAL = {
+        database_name = /var/lib/krb5kdc/principal
+        admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab
+        acl_file = /etc/krb5kdc/kadm5.acl
+        key_stash_file = /etc/krb5kdc/stash
+        kdc_ports = 88
+        max_life = 10h 0m 0s
+        max_renewable_life = 7d 0h 0m 0s
+        master_key_type = des3-hmac-sha1
+        supported_enctypes = aes256-cts:normal arcfour-hmac:normal des3-hmac-sha1:normal des3-cbc-sha1:normal des-cbc-crc:normal des:normal des:v4 des:norealm des:onlyrealm des:afs3
+        default_principal_flags = +preauth
+        iprop_enable = true
+        iprop_slave_poll = 2m
+        iprop_port = 750
+    }
diff --git a/.drone/krb5.conf b/.drone/krb5.conf
new file mode 100644
index 0000000..1e93442
--- /dev/null
+++ b/.drone/krb5.conf
@@ -0,0 +1,27 @@
+[libdefaults]
+	default_realm = CSCLUB.INTERNAL
+
+	kdc_timesync = 1
+	ccache_type = 4
+	forwardable = true
+	proxiable = true
+
+    dns_lookup_kdc = false
+    dns_lookup_realm = false
+
+    allow_weak_crypto = true
+
+[realms]
+    CSCLUB.INTERNAL = {
+		kdc = auth1.csclub.internal
+		admin_server = auth1.csclub.internal
+	}
+
+[domain_realm]
+        .csclub.internal = CSCLUB.INTERNAL
+        csclub.internal = CSCLUB.INTERNAL
+
+[logging]
+      kdc = SYSLOG:INFO:AUTH
+      admin_server = SYSLOG:INFO:AUTH
+      default = SYSLOG:INFO:AUTH
diff --git a/.drone/ldap.conf b/.drone/ldap.conf
new file mode 100644
index 0000000..090efb9
--- /dev/null
+++ b/.drone/ldap.conf
@@ -0,0 +1,3 @@
+BASE dc=csclub,dc=internal
+URI ldap://auth1.csclub.internal
+SUDOERS_BASE ou=SUDOers,dc=csclub,dc=internal
diff --git a/.drone/nsswitch.conf b/.drone/nsswitch.conf
new file mode 100644
index 0000000..6f49e62
--- /dev/null
+++ b/.drone/nsswitch.conf
@@ -0,0 +1,20 @@
+# /etc/nsswitch.conf
+#
+# Example configuration of GNU Name Service Switch functionality.
+# If you have the `glibc-doc-reference' and `info' packages installed, try:
+# `info libc "Name Service Switch"' for information about this file.
+
+passwd:         files ldap
+group:          files ldap
+shadow:         files ldap
+
+hosts:          files dns
+networks:       files
+
+protocols:      db files
+services:       db files
+ethers:         db files
+rpc:            db files
+
+netgroup:       nis
+sudoers:        files ldap
diff --git a/.drone/phosphoric-acid-setup.sh b/.drone/phosphoric-acid-setup.sh
new file mode 100755
index 0000000..7e10fae
--- /dev/null
+++ b/.drone/phosphoric-acid-setup.sh
@@ -0,0 +1,63 @@
+#!/bin/bash
+
+set -ex
+
+add_fqdn_to_hosts() {
+    hostname=$1
+    ip_addr=$(getent hosts $hostname | cut -d' ' -f1)
+    sed -E "/${ip_addr}.*\\b${hostname}\\b/d" /etc/hosts > /tmp/hosts
+    cat /tmp/hosts > /etc/hosts
+    rm /tmp/hosts
+    echo "$ip_addr $hostname.csclub.internal $hostname" >> /etc/hosts
+}
+
+# set FQDN in /etc/hosts
+add_fqdn_to_hosts phosphoric-acid
+add_fqdn_to_hosts auth1
+
+export DEBIAN_FRONTEND=noninteractive
+apt update
+
+# LDAP
+apt install -y --no-install-recommends libnss-ldapd
+service nslcd stop || true
+cp .drone/ldap.conf /etc/ldap/ldap.conf
+grep -Eq '^map group member uniqueMember$' /etc/nslcd.conf || \
+     echo 'map group member uniqueMember' >> /etc/nslcd.conf
+sed -E -i 's/^uri .*$/uri ldap:\/\/auth1.csclub.internal/' /etc/nslcd.conf
+sed -E -i 's/^base .*$/base dc=csclub,dc=internal/' /etc/nslcd.conf
+cp .drone/nsswitch.conf /etc/nsswitch.conf
+
+# KERBEROS
+apt install -y krb5-user libpam-krb5 libsasl2-modules-gssapi-mit
+cp .drone/krb5.conf /etc/krb5.conf
+
+# sync with auth1
+apt install -y netcat-openbsd
+synced=false
+# give it 5 minutes
+for i in {1..60}; do
+    if nc -vz auth1 9000 ; then
+        synced=true
+        break
+    fi
+    sleep 5
+done
+test $synced = true
+
+rm -f /etc/krb5.keytab
+cat <<EOF | kadmin -p sysadmin/admin
+krb5
+addprinc -randkey host/phosphoric-acid.csclub.internal
+ktadd host/phosphoric-acid.csclub.internal
+addprinc -randkey ceod/phosphoric-acid.csclub.internal
+ktadd ceod/phosphoric-acid.csclub.internal
+addprinc -randkey ceod/admin
+ktadd ceod/admin
+EOF
+service nslcd start
+
+# initialize the skel directory
+shopt -s dotglob
+mkdir -p /users/skel
+cp /etc/skel/* /users/skel/
diff --git a/.drone/rfc2307bis.schema b/.drone/rfc2307bis.schema
new file mode 100644
index 0000000..27f5484
--- /dev/null
+++ b/.drone/rfc2307bis.schema
@@ -0,0 +1,287 @@
+# builtin
+#attributetype ( 1.3.6.1.1.1.1.0 NAME 'uidNumber'
+#  DESC 'An integer uniquely identifying a user in an administrative domain'
+#  EQUALITY integerMatch
+#  SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
+#  SINGLE-VALUE )
+#
+
+# builtin
+#attributetype ( 1.3.6.1.1.1.1.1 NAME 'gidNumber'
+#  DESC 'An integer uniquely identifying a group in an
+#        administrative domain'
+#  EQUALITY integerMatch
+#  SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
+#  SINGLE-VALUE )
+
+attributetype ( 1.3.6.1.1.1.1.2 NAME 'gecos'
+  DESC 'The GECOS field; the common name'
+  EQUALITY caseIgnoreIA5Match
+  SUBSTR caseIgnoreIA5SubstringsMatch
+  SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
+  SINGLE-VALUE )
+
+attributetype ( 1.3.6.1.1.1.1.3 NAME 'homeDirectory'
+  DESC 'The absolute path to the home directory'
+  EQUALITY caseExactIA5Match
+  SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
+  SINGLE-VALUE )
+
+attributetype ( 1.3.6.1.1.1.1.4 NAME 'loginShell'
+  DESC 'The path to the login shell'
+  EQUALITY caseExactIA5Match
+  SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
+  SINGLE-VALUE )
+
+attributetype ( 1.3.6.1.1.1.1.5 NAME 'shadowLastChange'
+  EQUALITY integerMatch
+  SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
+  SINGLE-VALUE )
+
+attributetype ( 1.3.6.1.1.1.1.6 NAME 'shadowMin'
+  EQUALITY integerMatch
+  SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
+  SINGLE-VALUE )
+
+attributetype ( 1.3.6.1.1.1.1.7 NAME 'shadowMax'
+  EQUALITY integerMatch
+  SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
+  SINGLE-VALUE )
+
+attributetype ( 1.3.6.1.1.1.1.8 NAME 'shadowWarning'
+  EQUALITY integerMatch
+  SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
+  SINGLE-VALUE )
+
+attributetype ( 1.3.6.1.1.1.1.9 NAME 'shadowInactive'
+  EQUALITY integerMatch
+  SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
+  SINGLE-VALUE )
+
+attributetype ( 1.3.6.1.1.1.1.10 NAME 'shadowExpire'
+  EQUALITY integerMatch
+  SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
+  SINGLE-VALUE )
+
+attributetype ( 1.3.6.1.1.1.1.11 NAME 'shadowFlag'
+  EQUALITY integerMatch
+  SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
+  SINGLE-VALUE )
+
+attributetype ( 1.3.6.1.1.1.1.12 NAME 'memberUid'
+  EQUALITY caseExactIA5Match
+  SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+
+attributetype ( 1.3.6.1.1.1.1.13 NAME 'memberNisNetgroup'
+  EQUALITY caseExactIA5Match
+  SUBSTR caseExactIA5SubstringsMatch
+  SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+
+attributetype ( 1.3.6.1.1.1.1.14 NAME 'nisNetgroupTriple'
+  DESC 'Netgroup triple'
+  EQUALITY caseIgnoreIA5Match
+  SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+
+attributetype ( 1.3.6.1.1.1.1.15 NAME 'ipServicePort'
+  DESC 'Service port number'
+  EQUALITY integerMatch
+  SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
+  SINGLE-VALUE )
+
+attributetype ( 1.3.6.1.1.1.1.16 NAME 'ipServiceProtocol'
+  DESC 'Service protocol name'
+  SUP name )
+
+attributetype ( 1.3.6.1.1.1.1.17 NAME 'ipProtocolNumber'
+  DESC 'IP protocol number'
+  EQUALITY integerMatch
+  SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
+  SINGLE-VALUE )
+
+attributetype ( 1.3.6.1.1.1.1.18 NAME 'oncRpcNumber'
+  DESC 'ONC RPC number'
+  EQUALITY integerMatch
+  SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
+  SINGLE-VALUE )
+attributetype ( 1.3.6.1.1.1.1.19 NAME 'ipHostNumber'
+  DESC 'IPv4 addresses as a dotted decimal omitting leading
+        zeros or IPv6 addresses as defined in RFC2373'
+  SUP name )
+
+attributetype ( 1.3.6.1.1.1.1.20 NAME 'ipNetworkNumber'
+  DESC 'IP network as a dotted decimal, eg. 192.168,
+        omitting leading zeros'
+  SUP name
+  SINGLE-VALUE )
+
+attributetype ( 1.3.6.1.1.1.1.21 NAME 'ipNetmaskNumber'
+  DESC 'IP netmask as a dotted decimal, eg. 255.255.255.0,
+        omitting leading zeros'
+  EQUALITY caseIgnoreIA5Match
+  SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
+  SINGLE-VALUE )
+
+attributetype ( 1.3.6.1.1.1.1.22 NAME 'macAddress'
+  DESC 'MAC address in maximal, colon separated hex
+        notation, eg. 00:00:92:90:ee:e2'
+  EQUALITY caseIgnoreIA5Match
+  SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+
+attributetype ( 1.3.6.1.1.1.1.23 NAME 'bootParameter'
+  DESC 'rpc.bootparamd parameter'
+  EQUALITY caseExactIA5Match
+  SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+
+attributetype ( 1.3.6.1.1.1.1.24 NAME 'bootFile'
+  DESC 'Boot image name'
+  EQUALITY caseExactIA5Match
+  SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+
+attributetype ( 1.3.6.1.1.1.1.26 NAME 'nisMapName'
+  DESC 'Name of a A generic NIS map'
+  SUP name )
+
+attributetype ( 1.3.6.1.1.1.1.27 NAME 'nisMapEntry'
+  DESC 'A generic NIS entry'
+  EQUALITY caseExactIA5Match
+  SUBSTR caseExactIA5SubstringsMatch
+  SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
+  SINGLE-VALUE )
+
+attributetype ( 1.3.6.1.1.1.1.28 NAME 'nisPublicKey'
+  DESC 'NIS public key'
+  EQUALITY octetStringMatch
+  SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE )
+
+attributetype ( 1.3.6.1.1.1.1.29 NAME 'nisSecretKey'
+  DESC 'NIS secret key'
+  EQUALITY octetStringMatch
+  SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE )
+
+attributetype ( 1.3.6.1.1.1.1.30 NAME 'nisDomain'
+  DESC 'NIS domain'
+  EQUALITY caseIgnoreIA5Match
+  SYNTAX 1.3.6.1.4.1.1466.115.121.1.26)
+
+attributetype ( 1.3.6.1.1.1.1.31 NAME 'automountMapName'
+  DESC 'automount Map Name'
+  EQUALITY caseExactIA5Match
+  SUBSTR caseExactIA5SubstringsMatch
+  SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
+
+attributetype ( 1.3.6.1.1.1.1.32 NAME 'automountKey'
+  DESC 'Automount Key value'
+  EQUALITY caseExactIA5Match
+  SUBSTR caseExactIA5SubstringsMatch
+  SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
+
+attributetype ( 1.3.6.1.1.1.1.33 NAME 'automountInformation'
+  DESC 'Automount information'
+  EQUALITY caseExactIA5Match
+  SUBSTR caseExactIA5SubstringsMatch
+  SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
+
+objectclass ( 1.3.6.1.1.1.2.0 NAME 'posixAccount' SUP top AUXILIARY
+  DESC 'Abstraction of an account with POSIX attributes'
+  MUST ( cn $ uid $ uidNumber $ gidNumber $ homeDirectory )
+  MAY ( userPassword $ loginShell $ gecos $
+        description ) )
+
+objectclass ( 1.3.6.1.1.1.2.1 NAME 'shadowAccount' SUP top AUXILIARY
+  DESC 'Additional attributes for shadow passwords'
+  MUST uid
+  MAY ( userPassword $ description $
+        shadowLastChange $ shadowMin $ shadowMax $
+        shadowWarning $ shadowInactive $
+        shadowExpire $ shadowFlag ) )
+
+objectclass ( 1.3.6.1.1.1.2.2 NAME 'posixGroup' SUP top AUXILIARY
+  DESC 'Abstraction of a group of accounts'
+  MUST gidNumber
+  MAY ( userPassword $ memberUid $
+        description ) )
+
+objectclass ( 1.3.6.1.1.1.2.3 NAME 'ipService' SUP top STRUCTURAL
+  DESC 'Abstraction an Internet Protocol service.
+        Maps an IP port and protocol (such as tcp or udp)
+        to one or more names; the distinguished value of
+        the cn attribute denotes the services canonical
+        name'
+  MUST ( cn $ ipServicePort $ ipServiceProtocol )
+  MAY description )
+
+objectclass ( 1.3.6.1.1.1.2.4 NAME 'ipProtocol' SUP top STRUCTURAL
+  DESC 'Abstraction of an IP protocol. Maps a protocol number
+        to one or more names. The distinguished value of the cn
+        attribute denotes the protocols canonical name'
+  MUST ( cn $ ipProtocolNumber )
+  MAY description )
+
+objectclass ( 1.3.6.1.1.1.2.5 NAME 'oncRpc' SUP top STRUCTURAL
+  DESC 'Abstraction of an Open Network Computing (ONC)
+       [RFC1057] Remote Procedure Call (RPC) binding.
+       This class maps an ONC RPC number to a name.
+       The distinguished value of the cn attribute denotes
+       the RPC services canonical name'
+  MUST ( cn $ oncRpcNumber )
+  MAY description )
+
+objectclass ( 1.3.6.1.1.1.2.6 NAME 'ipHost' SUP top AUXILIARY
+  DESC 'Abstraction of a host, an IP device. The distinguished
+        value of the cn attribute denotes the hosts canonical
+        name. Device SHOULD be used as a structural class'
+  MUST ( cn $ ipHostNumber )
+  MAY ( userPassword $ l $ description $ manager ) )
+
+objectclass ( 1.3.6.1.1.1.2.7 NAME 'ipNetwork' SUP top STRUCTURAL
+  DESC 'Abstraction of a network. The distinguished value of
+        the cn attribute denotes the networks canonical name'
+  MUST ipNetworkNumber
+  MAY ( cn $ ipNetmaskNumber $ l $ description $ manager ) )
+
+objectclass ( 1.3.6.1.1.1.2.8 NAME 'nisNetgroup' SUP top STRUCTURAL
+  DESC 'Abstraction of a netgroup. May refer to other netgroups'
+  MUST cn
+  MAY ( nisNetgroupTriple $ memberNisNetgroup $ description ) )
+
+objectclass ( 1.3.6.1.1.1.2.9 NAME 'nisMap' SUP top STRUCTURAL
+  DESC 'A generic abstraction of a NIS map'
+  MUST nisMapName
+  MAY description )
+
+objectclass ( 1.3.6.1.1.1.2.10 NAME 'nisObject' SUP top STRUCTURAL
+  DESC 'An entry in a NIS map'
+  MUST ( cn $ nisMapEntry $ nisMapName )
+  MAY description )
+
+objectclass ( 1.3.6.1.1.1.2.11 NAME 'ieee802Device' SUP top AUXILIARY
+  DESC 'A device with a MAC address; device SHOULD be
+        used as a structural class'
+  MAY macAddress )
+
+objectclass ( 1.3.6.1.1.1.2.12 NAME 'bootableDevice' SUP top AUXILIARY
+  DESC 'A device with boot parameters; device SHOULD be
+        used as a structural class'
+  MAY ( bootFile $ bootParameter ) )
+
+objectclass ( 1.3.6.1.1.1.2.14 NAME 'nisKeyObject' SUP top AUXILIARY
+  DESC 'An object with a public and secret key'
+  MUST ( cn $ nisPublicKey $ nisSecretKey )
+  MAY ( uidNumber $ description ) )
+
+objectclass ( 1.3.6.1.1.1.2.15 NAME 'nisDomainObject' SUP top AUXILIARY
+  DESC 'Associates a NIS domain with a naming context'
+  MUST nisDomain )
+
+objectclass ( 1.3.6.1.1.1.2.16 NAME 'automountMap' SUP top STRUCTURAL
+  MUST ( automountMapName )
+  MAY description )
+
+objectclass ( 1.3.6.1.1.1.2.17 NAME 'automount' SUP top STRUCTURAL
+  DESC 'Automount information'
+  MUST ( automountKey $ automountInformation )
+  MAY description )
+## namedObject is needed for groups without members
+objectclass ( 1.3.6.1.4.1.5322.13.1.1 NAME 'namedObject' SUP top
+       STRUCTURAL MAY cn )
+
diff --git a/.drone/slapd.conf b/.drone/slapd.conf
new file mode 100644
index 0000000..fea3ef3
--- /dev/null
+++ b/.drone/slapd.conf
@@ -0,0 +1,107 @@
+# This is the main slapd configuration file. See slapd.conf(5) for more
+# info on the configuration options.
+
+include         /etc/ldap/schema/core.schema
+include         /etc/ldap/schema/cosine.schema
+include         /etc/ldap/schema/rfc2307bis.schema
+include         /etc/ldap/schema/inetorgperson.schema
+include         /etc/ldap/schema/sudo.schema
+include         /etc/ldap/schema/csc.schema
+include         /etc/ldap/schema/misc.schema
+
+pidfile         /var/run/slapd/slapd.pid
+argsfile        /var/run/slapd/slapd.args
+
+#Warning: "stats" is *lots* of logging
+loglevel       sync
+#loglevel      stats config sync acl
+
+modulepath      /usr/lib/ldap
+moduleload      back_hdb
+moduleload      syncprov
+moduleload      auditlog
+moduleload      unique
+
+sizelimit unlimited
+timelimit unlimited
+
+# consider local connections encrypted
+localssf        128
+
+# map kerberos users to ldap users
+sasl-realm      CSCLUB.INTERNAL
+authz-regexp    "uid=([^/=]*),cn=CSCLUB.INTERNAL,cn=GSSAPI,cn=auth"
+                "uid=$1,ou=people,dc=csclub,dc=internal"
+authz-regexp    "uid=ceod/admin,cn=CSCLUB.INTERNAL,cn=GSSAPI,cn=auth"
+                "cn=ceod,dc=csclub,dc=internal"
+
+access to *
+        by dn="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
+        by * break
+
+# systems committee get full access
+access to *
+        by dn="cn=ceod,dc=csclub,dc=internal" write
+        by group/group/uniqueMember="cn=syscom,ou=Group,dc=csclub,dc=internal" write
+        by * break
+
+# allow office staff to add terms
+# the renewal program may do the same
+access to attrs=term
+        by group/group/uniqueMember="cn=office,ou=Group,dc=csclub,dc=internal" add
+        by dn="cn=renewal,dc=csclub,dc=internal" add
+        by * read
+access to attrs=nonMemberTerm
+        by group/group/uniqueMember="cn=office,ou=Group,dc=csclub,dc=internal" add
+        by dn="cn=renewal,dc=csclub,dc=internal" add
+        by * read
+
+# allow users to change their shells
+access to attrs=loginShell
+        by self write
+        by * read
+
+# allow simple authentication
+access to attrs=userPassword
+        by anonymous auth
+        by * none
+
+# allow access to attributes of top; they would otherwise be denied below
+access to attrs=@top
+        by * read
+
+# default permit
+access to *
+        by * read
+
+# main database options
+# note: the mdb backend has a horrible bug in 2.4.31
+#       that causes indexing to destroy the database
+database        hdb
+suffix          "dc=csclub,dc=internal"
+directory       "/var/lib/ldap"
+rootdn          cn=root,dc=csclub,dc=internal
+index           default eq
+index           objectClass
+index           entryCSN,entryUUID
+index           uid,uidNumber
+index           cn,gidNumber
+index           uniqueMember,memberUid
+index           sudoUser,sudoHost pres,sub,eq
+index           term,nonMemberTerm
+index           mailLocalAddress
+index           modifyTimestamp,createTimestamp
+
+# log all changes to the directory
+overlay         auditlog
+auditlog        /var/log/ldap/audit.log
+
+# enforce uniqueness of usernames etc.
+overlay         unique
+unique_uri      ldap:///ou=People,dc=csclub,dc=internal?uid,uidNumber?sub
+unique_uri      ldap:///ou=Group,dc=csclub,dc=internal?cn,gidNumber?sub
+
+# this is the master server
+overlay syncprov
+syncprov-checkpoint 100 10
+syncprov-sessionlog 100
diff --git a/tests/MockMailmanServer.py b/tests/MockMailmanServer.py
index 96f3e44..b349f23 100644
--- a/tests/MockMailmanServer.py
+++ b/tests/MockMailmanServer.py
@@ -24,7 +24,7 @@ class MockMailmanServer:
     def _start_loop(self):
         asyncio.set_event_loop(self.loop)
         self.loop.run_until_complete(self.runner.setup())
-        site = web.TCPSite(self.runner, 'localhost', 8002)
+        site = web.TCPSite(self.runner, '127.0.0.1', 8002)
         self.loop.run_until_complete(site.start())
         self.loop.run_forever()
 
diff --git a/tests/MockSMTPServer.py b/tests/MockSMTPServer.py
index 4192660..0a70c1f 100644
--- a/tests/MockSMTPServer.py
+++ b/tests/MockSMTPServer.py
@@ -2,7 +2,7 @@ from aiosmtpd.controller import Controller
 
 
 class MockSMTPServer:
-    def __init__(self, hostname='localhost', port=8025):
+    def __init__(self, hostname='127.0.0.1', port=8025):
         self.messages = []
         self.controller = Controller(MockHandler(self), hostname, port)
 
diff --git a/tests/ceod_test_local.ini b/tests/ceod_test_local.ini
index d5dd24b..f14419e 100644
--- a/tests/ceod_test_local.ini
+++ b/tests/ceod_test_local.ini
@@ -11,14 +11,14 @@ port = 9987
 
 [ldap]
 admin_principal = ceod/admin
-server_url = ldap://ldap-master.csclub.internal
+server_url = ldap://auth1.csclub.internal
 sasl_realm = CSCLUB.INTERNAL
 users_base = ou=TestPeople,dc=csclub,dc=internal
 groups_base = ou=TestGroup,dc=csclub,dc=internal
 sudo_base = ou=TestSUDOers,dc=csclub,dc=internal
 
 [uwldap]
-server_url = ldap://ldap-master.csclub.internal
+server_url = ldap://auth1.csclub.internal
 base = ou=TestUWLDAP,dc=csclub,dc=internal
 
 [members]