If your applications use getgrouplist(3), then you can't just ignore the gidNumber (see the manpage for details) from the passwd database, but you could change the gidNumber to match the secondary group if you're not concerned about the default gidNumber.
If your applications are PAM aware, then you have more flexibility in how your users are authenticated, and may not need to depend on an ldap nss configuration and the gidNumber attribute.
One of use cases in my application is, OpenLDAP client will be installed in machines, and for each machine, it will be configured (with PAM) to only allow a specific LDAP group to login it. In this case, I am not sure if I need to care about gidNumber attribute or not, i.e., in my previous example, can user1 log into the machine which has been configured to only allow group2 to login?
Thanks, Qian