Mauricio Paulo de Sousa writes:

The problem I have to resolve is to see if is possible authenticate the users by groups...

I'm not sure what you mean, but hopefully you'll find an answer somewhere below:-)

Authentication is just to prove your identity - e.g. Bind with username and password, then the server verifies your password. This rarely has anything to do with groups, though you could divide users in different LDAP subtrees or whatever.

If you mean to check if the user belongs to a particular group, then you can e.g. have a group object in LDAP which lists all its members, and the client which wants to check group membership can use the LDAP Compare operation to check if the user's DN or username is listed in the member attribute. Likely after first authenticating the user.

Alternatively you can list all the groups the user is a member of, in the user's object. In that case take care that the user does not have write access to his group attribute, otherwise he can give himself membership in any group.

If what you want is to give access to objects in the LDAP directory based on group membership, you can do that with access controls (see man slapd.access).

and make users belong from more than one group,mut, by priorities... I dont know if this is possible. can anybody said me if its is possible??

Users can belong to several groups, by listing the same user in the member attributes of those groups. However most LDAP data is unordered, so you may have to implement priorities yourself. You could have an attribute in each user's object which simply contains an ordered comma-separated(or something) list of his groups. Or you could define a group attribute with the X-ORDERED extension, which allows you to keep a multi-valued attribute sorted.