diff --git a/flaschengeist.example.toml b/flaschengeist.example.toml
index e0a0cda..c177f23 100644
--- a/flaschengeist.example.toml
+++ b/flaschengeist.example.toml
@@ -27,10 +27,12 @@ enabled = true
 # URL =
 # PORT =
 # BINDDN =
+# BASEDN =
 # SECRET =
 # USE_SSL =
-## ADMIN_DN:
-## ADMIN_SECRET:
+# ADMIN_DN =
+# ADMIN_SECRET =
+# gidNumber =
 
 #[users]
 # allways enabled
diff --git a/flaschengeist/plugins/auth_ldap/__init__.py b/flaschengeist/plugins/auth_ldap/__init__.py
index b9412b1..0eb27c3 100644
--- a/flaschengeist/plugins/auth_ldap/__init__.py
+++ b/flaschengeist/plugins/auth_ldap/__init__.py
@@ -34,6 +34,7 @@ class AuthLDAP(AuthPlugin):
             app.config["LDAP_SECRET"] = (config["SECRET"],)
         self.ldap = LDAPConn(app)
         self.dn = config["BASEDN"]
+        self.gidNumber = config['gidNumber']
         # TODO: might not be set if modify is called
         if "ADMIN_DN" in config:
             self.admin_dn = config["ADMIN_DN"]
@@ -75,7 +76,7 @@ class AuthLDAP(AuthPlugin):
             attributes = {
                 'sn': user.firstname,
                 'givenName': user.lastname,
-                'gidNumber': 15000,
+                'gidNumber': self.gidNumber,
                 'homeDirectory': f'/home/{user.userid}',
                 'loginShell': '/bin/bash',
                 'uid': user.userid,
@@ -121,12 +122,24 @@ class AuthLDAP(AuthPlugin):
             ldap_conn = self.ldap.connect(self.admin_dn, self.admin_secret)
             self.ldap.connection.search(f"ou=group,{self.dn}", "(cn=*)", SUBTREE, attributes=["cn", "gidNumber"])
             ldap_roles = self.ldap.response()
+
+            gidNumbers = sorted(ldap_roles, key=lambda i: i['attributes']['gidNumber'], reverse=True)
+            gidNumber = gidNumbers[0]['attributes']['gidNumber'] + 1
+
+            for user_role in user.roles:
+                if user_role not in [role["attributes"]["cn"][0] for role in ldap_roles]:
+                    ldap_conn.add(f"cn={user_role},ou=group,{self.dn}", ["posixGroup"], attributes={"gidNumber": gidNumber})
+
+            ldap_conn = self.ldap.connect(self.admin_dn, self.admin_secret)
+            self.ldap.connection.search(f"ou=group,{self.dn}", "(cn=*)", SUBTREE, attributes=["cn", "gidNumber"])
+            ldap_roles = self.ldap.response()
+
             for ldap_role in ldap_roles:
                 if ldap_role["attributes"]["cn"][0] in user.roles:
                     modify = {'memberUid': [(MODIFY_ADD, [user.userid])]}
                 else:
                     modify = {'memberUid': [(MODIFY_DELETE, [user.userid])]}
-                test = ldap_conn.modify(ldap_role["dn"], modify)
+                ldap_conn.modify(ldap_role["dn"], modify)
 
         except (LDAPPasswordIsMandatoryError, LDAPBindError):
             raise BadRequest