diff --git a/roles/ldap_server/templates/slapd.conf.j2 b/roles/ldap_server/templates/slapd.conf.j2
index 5849191..903639c 100644
--- a/roles/ldap_server/templates/slapd.conf.j2
+++ b/roles/ldap_server/templates/slapd.conf.j2
@@ -39,6 +39,7 @@ moduleload ppolicy.la
 moduleload syncprov.la
 #moduleload smbkrb5pwd.la
 moduleload constraint.la
+moduleload memberof.la
 
 # certificates and ciphers (unfortunately modern cipher suite didn't work)
 TLSCertificateFile {{ tls_certs }}/{{ ldap_server_cert }}.crt
@@ -77,6 +78,11 @@ overlay constraint
 constraint_attribute loginShell regex ^/bin/(bash|tcsh|zsh)$
 constraint_attribute uniqueMember uri ldap:///ou=People,{{ ldap_basedn }}?entryDN?one?(objectClass=inetOrgPerson)
 
+overlay memberof
+memberof-group-oc groupOfUniqueNames
+memberof-member-ad uniqueMember
+memberof-memberof-ad memberOf
+
 # database directory
 # chmod 700 so ldap:ldap can create encrypted backups with group readable
 # access without access to clear text data