diff --git a/gen/admin/rbac.ts b/gen/admin/rbac.ts
index bb03bee..bcbea3d 100644
--- a/gen/admin/rbac.ts
+++ b/gen/admin/rbac.ts
@@ -114,6 +114,11 @@ export interface RevokeRoleFromUserRequest {
   roleId: number;
 }
 
+export interface SyncLdapRolesRequest {
+  userId: string;
+  ldapGroups: string[];
+}
+
 export const RBAC_V1_PACKAGE_NAME = "rbac.v1";
 
 export interface RbacServiceClient {
@@ -136,6 +141,8 @@ export interface RbacServiceClient {
   assignRoleToUser(request: AssignRoleToUserRequest, metadata?: Metadata): Observable<ModifyRoleResponse>;
 
   revokeRoleFromUser(request: RevokeRoleFromUserRequest, metadata?: Metadata): Observable<ModifyRoleResponse>;
+
+  syncLdapRoles(request: SyncLdapRolesRequest, metadata?: Metadata): Observable<ModifyRoleResponse>;
 }
 
 export interface RbacServiceController {
@@ -188,6 +195,11 @@ export interface RbacServiceController {
     request: RevokeRoleFromUserRequest,
     metadata?: Metadata,
   ): Promise<ModifyRoleResponse> | Observable<ModifyRoleResponse> | ModifyRoleResponse;
+
+  syncLdapRoles(
+    request: SyncLdapRolesRequest,
+    metadata?: Metadata,
+  ): Promise<ModifyRoleResponse> | Observable<ModifyRoleResponse> | ModifyRoleResponse;
 }
 
 export function RbacServiceControllerMethods() {
@@ -203,6 +215,7 @@ export function RbacServiceControllerMethods() {
       "getUserRolesAndPermissions",
       "assignRoleToUser",
       "revokeRoleFromUser",
+      "syncLdapRoles",
     ];
     for (const method of grpcMethods) {
       const descriptor: any = Reflect.getOwnPropertyDescriptor(constructor.prototype, method);
diff --git a/gen/go/admin/rbac.pb.go b/gen/go/admin/rbac.pb.go
index fb02e40..18d116d 100644
--- a/gen/go/admin/rbac.pb.go
+++ b/gen/go/admin/rbac.pb.go
@@ -1029,6 +1029,58 @@ func (x *RevokeRoleFromUserRequest) GetRoleId() int32 {
 	return 0
 }
 
+type SyncLdapRolesRequest struct {
+	state         protoimpl.MessageState `protogen:"open.v1"`
+	UserId        string                 `protobuf:"bytes,1,opt,name=user_id,json=userId,proto3" json:"user_id,omitempty"`
+	LdapGroups    []string               `protobuf:"bytes,2,rep,name=ldap_groups,json=ldapGroups,proto3" json:"ldap_groups,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
+}
+
+func (x *SyncLdapRolesRequest) Reset() {
+	*x = SyncLdapRolesRequest{}
+	mi := &file_admin_rbac_proto_msgTypes[18]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+
+func (x *SyncLdapRolesRequest) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*SyncLdapRolesRequest) ProtoMessage() {}
+
+func (x *SyncLdapRolesRequest) ProtoReflect() protoreflect.Message {
+	mi := &file_admin_rbac_proto_msgTypes[18]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use SyncLdapRolesRequest.ProtoReflect.Descriptor instead.
+func (*SyncLdapRolesRequest) Descriptor() ([]byte, []int) {
+	return file_admin_rbac_proto_rawDescGZIP(), []int{18}
+}
+
+func (x *SyncLdapRolesRequest) GetUserId() string {
+	if x != nil {
+		return x.UserId
+	}
+	return ""
+}
+
+func (x *SyncLdapRolesRequest) GetLdapGroups() []string {
+	if x != nil {
+		return x.LdapGroups
+	}
+	return nil
+}
+
 var File_admin_rbac_proto protoreflect.FileDescriptor
 
 const file_admin_rbac_proto_rawDesc = "" +
@@ -1102,7 +1154,11 @@ const file_admin_rbac_proto_rawDesc = "" +
 	"\arole_id\x18\x02 \x01(\x05R\x06roleId\"M\n" +
 	"\x19RevokeRoleFromUserRequest\x12\x17\n" +
 	"\auser_id\x18\x01 \x01(\tR\x06userId\x12\x17\n" +
-	"\arole_id\x18\x02 \x01(\x05R\x06roleId2\xbf\x06\n" +
+	"\arole_id\x18\x02 \x01(\x05R\x06roleId\"P\n" +
+	"\x14SyncLdapRolesRequest\x12\x17\n" +
+	"\auser_id\x18\x01 \x01(\tR\x06userId\x12\x1f\n" +
+	"\vldap_groups\x18\x02 \x03(\tR\n" +
+	"ldapGroups2\x8c\a\n" +
 	"\vRbacService\x12E\n" +
 	"\n" +
 	"CreateRole\x12\x1a.rbac.v1.CreateRoleRequest\x1a\x1b.rbac.v1.ModifyRoleResponse\x12E\n" +
@@ -1116,7 +1172,8 @@ const file_admin_rbac_proto_rawDesc = "" +
 	"\vGetAllRoles\x12\x1b.rbac.v1.GetAllRolesRequest\x1a\x1c.rbac.v1.GetAllRolesResponse\x12Y\n" +
 	"\x1aGetUserRolesAndPermissions\x12\x1c.rbac.v1.GetUserRolesRequest\x1a\x1d.rbac.v1.GetUserRolesResponse\x12Q\n" +
 	"\x10AssignRoleToUser\x12 .rbac.v1.AssignRoleToUserRequest\x1a\x1b.rbac.v1.ModifyRoleResponse\x12U\n" +
-	"\x12RevokeRoleFromUser\x12\".rbac.v1.RevokeRoleFromUserRequest\x1a\x1b.rbac.v1.ModifyRoleResponseB*Z(git.lendry.ru/lendry-erp/proto.git/go;pbb\x06proto3"
+	"\x12RevokeRoleFromUser\x12\".rbac.v1.RevokeRoleFromUserRequest\x1a\x1b.rbac.v1.ModifyRoleResponse\x12K\n" +
+	"\rSyncLdapRoles\x12\x1d.rbac.v1.SyncLdapRolesRequest\x1a\x1b.rbac.v1.ModifyRoleResponseB*Z(git.lendry.ru/lendry-erp/proto.git/go;pbb\x06proto3"
 
 var (
 	file_admin_rbac_proto_rawDescOnce sync.Once
@@ -1130,7 +1187,7 @@ func file_admin_rbac_proto_rawDescGZIP() []byte {
 	return file_admin_rbac_proto_rawDescData
 }
 
-var file_admin_rbac_proto_msgTypes = make([]protoimpl.MessageInfo, 18)
+var file_admin_rbac_proto_msgTypes = make([]protoimpl.MessageInfo, 19)
 var file_admin_rbac_proto_goTypes = []any{
 	(*GetAllPermissionsRequest)(nil),  // 0: rbac.v1.GetAllPermissionsRequest
 	(*GetAllPermissionsResponse)(nil), // 1: rbac.v1.GetAllPermissionsResponse
@@ -1150,6 +1207,7 @@ var file_admin_rbac_proto_goTypes = []any{
 	(*GetUserRolesResponse)(nil),      // 15: rbac.v1.GetUserRolesResponse
 	(*AssignRoleToUserRequest)(nil),   // 16: rbac.v1.AssignRoleToUserRequest
 	(*RevokeRoleFromUserRequest)(nil), // 17: rbac.v1.RevokeRoleFromUserRequest
+	(*SyncLdapRolesRequest)(nil),      // 18: rbac.v1.SyncLdapRolesRequest
 }
 var file_admin_rbac_proto_depIdxs = []int32{
 	2,  // 0: rbac.v1.GetAllPermissionsResponse.permissions:type_name -> rbac.v1.Permission
@@ -1164,18 +1222,20 @@ var file_admin_rbac_proto_depIdxs = []int32{
 	14, // 9: rbac.v1.RbacService.GetUserRolesAndPermissions:input_type -> rbac.v1.GetUserRolesRequest
 	16, // 10: rbac.v1.RbacService.AssignRoleToUser:input_type -> rbac.v1.AssignRoleToUserRequest
 	17, // 11: rbac.v1.RbacService.RevokeRoleFromUser:input_type -> rbac.v1.RevokeRoleFromUserRequest
-	7,  // 12: rbac.v1.RbacService.CreateRole:output_type -> rbac.v1.ModifyRoleResponse
-	7,  // 13: rbac.v1.RbacService.UpdateRole:output_type -> rbac.v1.ModifyRoleResponse
-	9,  // 14: rbac.v1.RbacService.DeleteRole:output_type -> rbac.v1.DeleteRoleResponse
-	12, // 15: rbac.v1.RbacService.CreatePermission:output_type -> rbac.v1.ModifyPermissionResponse
-	12, // 16: rbac.v1.RbacService.UpdatePermission:output_type -> rbac.v1.ModifyPermissionResponse
-	1,  // 17: rbac.v1.RbacService.GetAllPermissions:output_type -> rbac.v1.GetAllPermissionsResponse
-	4,  // 18: rbac.v1.RbacService.GetAllRoles:output_type -> rbac.v1.GetAllRolesResponse
-	15, // 19: rbac.v1.RbacService.GetUserRolesAndPermissions:output_type -> rbac.v1.GetUserRolesResponse
-	7,  // 20: rbac.v1.RbacService.AssignRoleToUser:output_type -> rbac.v1.ModifyRoleResponse
-	7,  // 21: rbac.v1.RbacService.RevokeRoleFromUser:output_type -> rbac.v1.ModifyRoleResponse
-	12, // [12:22] is the sub-list for method output_type
-	2,  // [2:12] is the sub-list for method input_type
+	18, // 12: rbac.v1.RbacService.SyncLdapRoles:input_type -> rbac.v1.SyncLdapRolesRequest
+	7,  // 13: rbac.v1.RbacService.CreateRole:output_type -> rbac.v1.ModifyRoleResponse
+	7,  // 14: rbac.v1.RbacService.UpdateRole:output_type -> rbac.v1.ModifyRoleResponse
+	9,  // 15: rbac.v1.RbacService.DeleteRole:output_type -> rbac.v1.DeleteRoleResponse
+	12, // 16: rbac.v1.RbacService.CreatePermission:output_type -> rbac.v1.ModifyPermissionResponse
+	12, // 17: rbac.v1.RbacService.UpdatePermission:output_type -> rbac.v1.ModifyPermissionResponse
+	1,  // 18: rbac.v1.RbacService.GetAllPermissions:output_type -> rbac.v1.GetAllPermissionsResponse
+	4,  // 19: rbac.v1.RbacService.GetAllRoles:output_type -> rbac.v1.GetAllRolesResponse
+	15, // 20: rbac.v1.RbacService.GetUserRolesAndPermissions:output_type -> rbac.v1.GetUserRolesResponse
+	7,  // 21: rbac.v1.RbacService.AssignRoleToUser:output_type -> rbac.v1.ModifyRoleResponse
+	7,  // 22: rbac.v1.RbacService.RevokeRoleFromUser:output_type -> rbac.v1.ModifyRoleResponse
+	7,  // 23: rbac.v1.RbacService.SyncLdapRoles:output_type -> rbac.v1.ModifyRoleResponse
+	13, // [13:24] is the sub-list for method output_type
+	2,  // [2:13] is the sub-list for method input_type
 	2,  // [2:2] is the sub-list for extension type_name
 	2,  // [2:2] is the sub-list for extension extendee
 	0,  // [0:2] is the sub-list for field type_name
@@ -1194,7 +1254,7 @@ func file_admin_rbac_proto_init() {
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
 			RawDescriptor: unsafe.Slice(unsafe.StringData(file_admin_rbac_proto_rawDesc), len(file_admin_rbac_proto_rawDesc)),
 			NumEnums:      0,
-			NumMessages:   18,
+			NumMessages:   19,
 			NumExtensions: 0,
 			NumServices:   1,
 		},
diff --git a/gen/go/admin/rbac_grpc.pb.go b/gen/go/admin/rbac_grpc.pb.go
index 26c2ddd..65176be 100644
--- a/gen/go/admin/rbac_grpc.pb.go
+++ b/gen/go/admin/rbac_grpc.pb.go
@@ -29,6 +29,7 @@ const (
 	RbacService_GetUserRolesAndPermissions_FullMethodName = "/rbac.v1.RbacService/GetUserRolesAndPermissions"
 	RbacService_AssignRoleToUser_FullMethodName           = "/rbac.v1.RbacService/AssignRoleToUser"
 	RbacService_RevokeRoleFromUser_FullMethodName         = "/rbac.v1.RbacService/RevokeRoleFromUser"
+	RbacService_SyncLdapRoles_FullMethodName              = "/rbac.v1.RbacService/SyncLdapRoles"
 )
 
 // RbacServiceClient is the client API for RbacService service.
@@ -45,6 +46,7 @@ type RbacServiceClient interface {
 	GetUserRolesAndPermissions(ctx context.Context, in *GetUserRolesRequest, opts ...grpc.CallOption) (*GetUserRolesResponse, error)
 	AssignRoleToUser(ctx context.Context, in *AssignRoleToUserRequest, opts ...grpc.CallOption) (*ModifyRoleResponse, error)
 	RevokeRoleFromUser(ctx context.Context, in *RevokeRoleFromUserRequest, opts ...grpc.CallOption) (*ModifyRoleResponse, error)
+	SyncLdapRoles(ctx context.Context, in *SyncLdapRolesRequest, opts ...grpc.CallOption) (*ModifyRoleResponse, error)
 }
 
 type rbacServiceClient struct {
@@ -155,6 +157,16 @@ func (c *rbacServiceClient) RevokeRoleFromUser(ctx context.Context, in *RevokeRo
 	return out, nil
 }
 
+func (c *rbacServiceClient) SyncLdapRoles(ctx context.Context, in *SyncLdapRolesRequest, opts ...grpc.CallOption) (*ModifyRoleResponse, error) {
+	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
+	out := new(ModifyRoleResponse)
+	err := c.cc.Invoke(ctx, RbacService_SyncLdapRoles_FullMethodName, in, out, cOpts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
 // RbacServiceServer is the server API for RbacService service.
 // All implementations must embed UnimplementedRbacServiceServer
 // for forward compatibility.
@@ -169,6 +181,7 @@ type RbacServiceServer interface {
 	GetUserRolesAndPermissions(context.Context, *GetUserRolesRequest) (*GetUserRolesResponse, error)
 	AssignRoleToUser(context.Context, *AssignRoleToUserRequest) (*ModifyRoleResponse, error)
 	RevokeRoleFromUser(context.Context, *RevokeRoleFromUserRequest) (*ModifyRoleResponse, error)
+	SyncLdapRoles(context.Context, *SyncLdapRolesRequest) (*ModifyRoleResponse, error)
 	mustEmbedUnimplementedRbacServiceServer()
 }
 
@@ -209,6 +222,9 @@ func (UnimplementedRbacServiceServer) AssignRoleToUser(context.Context, *AssignR
 func (UnimplementedRbacServiceServer) RevokeRoleFromUser(context.Context, *RevokeRoleFromUserRequest) (*ModifyRoleResponse, error) {
 	return nil, status.Error(codes.Unimplemented, "method RevokeRoleFromUser not implemented")
 }
+func (UnimplementedRbacServiceServer) SyncLdapRoles(context.Context, *SyncLdapRolesRequest) (*ModifyRoleResponse, error) {
+	return nil, status.Error(codes.Unimplemented, "method SyncLdapRoles not implemented")
+}
 func (UnimplementedRbacServiceServer) mustEmbedUnimplementedRbacServiceServer() {}
 func (UnimplementedRbacServiceServer) testEmbeddedByValue()                     {}
 
@@ -410,6 +426,24 @@ func _RbacService_RevokeRoleFromUser_Handler(srv interface{}, ctx context.Contex
 	return interceptor(ctx, in, info, handler)
 }
 
+func _RbacService_SyncLdapRoles_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(SyncLdapRolesRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(RbacServiceServer).SyncLdapRoles(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: RbacService_SyncLdapRoles_FullMethodName,
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(RbacServiceServer).SyncLdapRoles(ctx, req.(*SyncLdapRolesRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
 // RbacService_ServiceDesc is the grpc.ServiceDesc for RbacService service.
 // It's only intended for direct use with grpc.RegisterService,
 // and not to be introspected or modified (even as a copy)
@@ -457,6 +491,10 @@ var RbacService_ServiceDesc = grpc.ServiceDesc{
 			MethodName: "RevokeRoleFromUser",
 			Handler:    _RbacService_RevokeRoleFromUser_Handler,
 		},
+		{
+			MethodName: "SyncLdapRoles",
+			Handler:    _RbacService_SyncLdapRoles_Handler,
+		},
 	},
 	Streams:  []grpc.StreamDesc{},
 	Metadata: "admin/rbac.proto",