diff --git a/cert.sh b/cert.sh
old mode 100644
new mode 100755
diff --git a/init.sh b/init.sh
old mode 100644
new mode 100755
diff --git a/init.template.ldif b/init.template.ldif
index 886f4e8..4af8bcb 100644
--- a/init.template.ldif
+++ b/init.template.ldif
@@ -8,13 +8,7 @@ dn: ou=groups,$BASE_DN
 objectClass: organizationalUnit
 ou: groups
 
-# admin group
-dn: cn=admins,ou=groups,$BASE_DN
-objectClass: groupOfNames
-member: uid=$ADMIN_ID,ou=people,$BASE_DN
-cn: admins
-
-# paas user 
+# initial user 
 dn: uid=$ADMIN_ID,ou=people,$BASE_DN
 objectClass: inetOrgPerson
 mail: $ADMIN_EMAIL
@@ -22,3 +16,9 @@ cn: $ADMIN_CN
 sn: $ADMIN_SN
 uid: $ADMIN_ID
 userPassword: $ADMIN_PASSWD
+
+# admin group
+dn: cn=admins,ou=groups,$BASE_DN
+objectClass: groupOfNames
+member: uid=$ADMIN_ID,ou=people,$BASE_DN
+cn: admins
\ No newline at end of file
diff --git a/pass.template.ldif b/pass.template.ldif
index 260fbc9..3d0e84a 100644
--- a/pass.template.ldif
+++ b/pass.template.ldif
@@ -1,9 +1,10 @@
-# load pw-sha2 module
+# load modules: pw-sha2, ppolicy, memberof
 dn: cn=module{0},cn=config
 changetype: modify
 add: olcModuleLoad
 olcModuleLoad: pw-sha2.la
 olcModuleLoad: ppolicy.la
+olcModuleLoad: memberof.la
 
 # set default password hash to SSHA512
 dn: olcDatabase={-1}frontend,cn=config
@@ -21,3 +22,15 @@ olcPPolicyDefault: cn=password,ou=policies,$BASE_DN
 olcPPolicyHashCleartext: TRUE
 olcPPolicyUseLockout: FALSE
 olcPPolicyForwardUpdates: FALSE
+
+# add memberof policy
+dn: olcOverlay=memberof,olcDatabase={1}mdb,cn=config
+changetype: add
+objectClass: olcOverlayConfig
+objectClass: olcMemberOf
+olcOverlay: memberof
+olcMemberOfDangling: ignore
+olcMemberOfRefInt: TRUE
+olcMemberOfGroupOC: groupOfNames
+olcMemberOfMemberAD: member
+olcMemberOfMemberOfAD: memberOf