diff --git a/roles/ldap/tasks/main.yml b/roles/ldap/tasks/main.yml
index 13123ae..e8b9e65 100644
--- a/roles/ldap/tasks/main.yml
+++ b/roles/ldap/tasks/main.yml
@@ -92,6 +92,16 @@
     bind_dn: "cn=admin,{{ basedn }}"
     bind_pw: "{{ ldap_admin_pwd['content'] | b64decode | replace('\n', '') }}"
 
+- name: add group for all ldapusers
+  ldap_entry:
+    dn: "cn=ldapuser,ou=groups,{{ basedn }}"
+    objectClass:
+      - posixGroup
+    attributes:
+      gidNumber: 18000
+    bind_dn: "cn=admin,{{ basedn }}"
+    bind_pw: "{{ ldap_admin_pwd['content'] | b64decode | replace('\n', '') }}"
+
 - name: provide simple script to manage ldap/kdc
   template:
     src: debian-lan.j2
@@ -128,6 +138,15 @@
     bind_pw: "{{ ldap_admin_pwd['content'] | b64decode | replace('\n', '') }}"
   when: foo_pwd is defined and foo_pwd | length > 0
 
+- name: add dummy user foo to group ldapuser
+  ldap_attr:
+    dn: "cn=ldapuser,ou=groups,{{ basedn }}"
+    name: memberUid
+    values: foo
+    bind_dn: "cn=admin,{{ basedn }}"
+    bind_pw: "{{ ldap_admin_pwd['content'] | b64decode | replace('\n', '') }}"
+  when: foo_pwd is defined and foo_pwd | length > 0
+
 - name: allow ldap service in firewalld
   firewalld:
     zone: internal
diff --git a/roles/ldap/templates/debian-lan.j2 b/roles/ldap/templates/debian-lan.j2
index f94ad23..3dbf3c7 100644
--- a/roles/ldap/templates/debian-lan.j2
+++ b/roles/ldap/templates/debian-lan.j2
@@ -123,6 +123,14 @@ dn: cn=${id},ou=groups,$BASEDN
 objectClass: posixGroup
 gidNumber: ${gidNumber}
 ##################################
+EOF
+
+    cat <<EOF | ldapmodify -H ldapi:/// -D "$LDAPADMIN"  -w "$ADPASSWD" | sed '/^$/d'
+############## LDIF ##############
+dn: cn=ldapuser,ou=groups,$BASEDN
+add: memberUid
+memberUid: ${id}
+##################################
 EOF
 
     if [ $KRB5 ] ; then
@@ -132,6 +140,7 @@ EOF
             echo "uidNumber: ${uidNumber}  gidNumber: ${gidNumber}"
             cp -r /etc/skel ${HOMES}/${id}
             chown -R ${uidNumber}:${gidNumber} ${HOMES}/${id}
+            #chmod -R o= ${HOMES}/${id}
             ls -nld ${HOMES}/${id}
         fi
     fi
@@ -150,6 +159,14 @@ del-user(){
     ldapdelete -v -H ldapi:/// -D "$LDAPADMIN"  -w "$ADPASSWD" "uid=${id},ou=people,$BASEDN"  "cn=${id},ou=groups,$BASEDN" 2>&1 \
         | sed '/ldap_initialize/d'
 
+    cat <<EOF | ldapmodify -H ldapi:/// -D "$LDAPADMIN"  -w "$ADPASSWD" | sed '/^$/d'
+############## LDIF ##############
+dn: cn=ldapuser,ou=groups,$BASEDN
+delete: memberUid
+memberUid: ${id}
+##################################
+EOF
+
     if [ -d ${HOMES}/${id} ] ; then
         KEEPDIR="${HOMES}/rm_$(date '+%Y%m%d')_${id}"
         mv ${HOMES}/${id} "${KEEPDIR}"