It seems that attribute "sRoles" is your own extension to the LDAP schema. Is it correct? As I can't see anything like that in the standard LDAP schema. We currently don't have what you mentioned OOTB though. Not sure if we should add that OOTB as it seems you're the only one requesting this so far. One thing, which our roleMapper supports is, that roles can be retrieved from the "memberOf" attribute on the user record. This is LDAP standard. For example LDAP user record has something like this: memberOf: CN=realmRole1,OU=RealmRoles,O=keycloak,DC=foodomain,DC=test memberOf: CN=realmRole2,OU=RealmRoles,O=keycloak,DC=foodomain,DC=test and based on that, we assign him roles "role1" and "role2" on Keycloak side. This is used when you select "User Roles Retrieve Strategy" of role mapper to "GET_ROLES_FROM_USER_MEMBEROF_ATTRIBUTE". But note that implementation has attribute name hardcoded to "memberOf" and also it must contain the fullDN of particular role, not just the name. Feel free to create your own implementation. You can take a look at RoleLDAPStorageMapper and UserRolesRetrieveStrategy java classes for the inspiration. Maybe you can override from RoleLDAPStorageMapper though. Marek On 23/01/17 10:19, Adrian Madaras wrote: