diff --git a/uffd/role/models.py b/uffd/role/models.py
index d8b379cdf61e52058038b709991fae58a16d3b6c..d2ff9a72fa96426a9450725716ad05f5b1a3bdb4 100644
--- a/uffd/role/models.py
+++ b/uffd/role/models.py
@@ -23,6 +23,11 @@ class Role(db.Model):
 	def get_for_user(cls, user):
 		return Role.query.join(Role.members, aliased=True).filter_by(dn=user.dn)
 
+	def member_ldap(self):
+		result = []
+		for dn in self.member_dns():
+			result.append(User.from_ldap_dn(dn))
+		return result
 	def member_dns(self):
 		return list(map(attrgetter('dn'), self.members))
 	def add_member(self, member):
diff --git a/uffd/role/views.py b/uffd/role/views.py
index 497333fad962264b579a6f999a35891566d6f591..177e44a4665921b1e02363c12a638636b52917f2 100644
--- a/uffd/role/views.py
+++ b/uffd/role/views.py
@@ -57,10 +57,14 @@ def update(roleid=False):
 		elif group.dn in role_group_dns:
 			role.del_group(group)
 
-#	usergroups = set()
-#	for role in Role.get_for_user(user).all():
-#		usergroups.update(role.group_dns())
-#	user.replace_group_dns(usergroups)
+	members = role.member_ldap()
+	for user in members:
+		usergroups = set()
+		for role in Role.get_for_user(user).all():
+			usergroups.update(role.group_dns())
+		user.replace_group_dns(usergroups)
+		if not user.to_ldap():
+			flash('updating group membership for user {} failed'.format(user.loginname))
 
 	session.commit()
 	return redirect(url_for('role.index'))