diff --git a/config.py.example b/config.py.example
index 1c7ce51..b82a938 100644
--- a/config.py.example
+++ b/config.py.example
@@ -6,3 +6,7 @@ ldap_server = "ldaps://leidap.server.c3h"
 ldap_user = "cn=lock,ou=applications,dc=leitstelle511,dc=net"
 ldap_pass = ""
 ldap_filter = "(&(objectClass=posixaccount)(memberOf=cn=keymatic,ou=groups,dc=leitstelle511,dc=net))"
+
+kandim_server = "https://auth.hannover.ccc.de"
+kandim_token = ""
+kandim_group = "keymatic"
diff --git a/kandim_query.py b/kandim_query.py
new file mode 100755
index 0000000..1dc571f
--- /dev/null
+++ b/kandim_query.py
@@ -0,0 +1,37 @@
+#!/usr/bin/env python3
+import config
+import json
+import urllib.request
+
+def doGET(ep):
+    req = urllib.request.Request(config.kandim_server + ep)
+    req.add_header('Authorization', 'Bearer ' + config.kandim_token)
+    res = urllib.request.urlopen(req)
+    if res.code != 200:
+        raise Exception("API ERROR " + ep)
+    j = json.load(res)
+    return j
+
+def getGroupUsers(grp):
+    g = doGET("/v1/group/" + grp)
+    if 'member' not in g['attrs']:
+        raise Exception("Attribute 'member' not in Group")
+    return g['attrs']['member']
+
+def getUser(user):
+    u = doGET("/v1/person/" + user)
+    return u['attrs']
+
+userlist = getGroupUsers(config.kandim_group)
+for user in userlist:
+    print("#User: " + user)
+    uo = getUser(user)
+    if 'ssh_publickey' not in uo:
+        continue
+    for keyf in uo['ssh_publickey']:
+        key = keyf.split(": ", 1)
+        if len(key) < 2:
+            print("# Error while processing key")
+            continue
+        if 'keymatic' in key[0]:
+            print(key[1] + key[0])
diff --git a/update_keys.py b/update_keys.py
index 64aaae1..a95a653 100755
--- a/update_keys.py
+++ b/update_keys.py
@@ -5,10 +5,10 @@ import sys
 
 destfile = "authkeyfile/authorized_keys"
 
-p = subprocess.Popen(["./ldap_query.py"], stdout=subprocess.PIPE, stdin=subprocess.PIPE)
+p = subprocess.Popen(["./kandim_query.py"], stdout=subprocess.PIPE, stdin=subprocess.PIPE)
 (po, pr) = p.communicate()
 if(p.returncode != 0):
-    print("Data from ldap_query.py seems to be invalid. QUIT")
+    print("Data from kandim_query.py seems to be invalid. QUIT")
     sys.exit(1)
 
 newhash = hashlib.md5(po).hexdigest()