diff --git a/Workbench/directory/Dockerfile b/Workbench/directory/Dockerfile
index 3fc3b6e..85b4164 100644
--- a/Workbench/directory/Dockerfile
+++ b/Workbench/directory/Dockerfile
@@ -24,7 +24,8 @@ RUN useradd ldapadmin \
     && /usr/sbin/ns-slapd -D /etc/dirsrv/slapd-dir \
     && while ! curl -s ldap://localhost:389 > /dev/null; do echo waiting for ldap to start; sleep 1; done; \
     ldapadd -H ldap:/// -f /seed-data/data.ldif -x -D "cn=Directory Manager" -w password \
-    && ldapmodify -H ldap:/// -f /seed-data/incwbperson-obj.ldif -x -D "cn=Directory Manager" -w password
+    && ldapmodify -H ldap:/// -f /seed-data/incwbperson-obj.ldif -x -D "cn=Directory Manager" -w password \
+	&& ldapmodify -H ldap:/// -f /seed-data/edumember-obj.ldif -x -D "cn=Directory Manager" -w password
 
 EXPOSE 389 443
 
diff --git a/Workbench/directory/container_files/seed-data/edumember-obj.ldif b/Workbench/directory/container_files/seed-data/edumember-obj.ldif
new file mode 100644
index 0000000..38b287f
--- /dev/null
+++ b/Workbench/directory/container_files/seed-data/edumember-obj.ldif
@@ -0,0 +1,30 @@
+#
+# eduMember Objectclass
+#
+#
+# "eduMember" attributes
+#
+dn: cn=schema
+changetype: modify
+#
+add: attributetypes
+attributeTypes: ( 1.3.6.1.4.1.5923.1.5.1.1 
+ NAME 'isMemberOf' 
+ DESC 'identifiers for groups to which containing entity belongs' 
+ EQUALITY caseExactMatch 
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
+attributeTypes: ( 1.3.6.1.4.1.5923.1.5.1.2 
+ NAME 'hasMember' 
+ DESC 'identifiers for entities that are members of the group' 
+ EQUALITY caseExactMatch 
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
+-
+#
+add: objectclasses
+objectClasses: ( 1.3.6.1.4.1.5923.1.5.2 NAME 'eduMember' 
+ AUXILIARY 
+ MAY ( isMemberOf $ hasMember ) 
+ )
+#
+# end of LDIF
+#
diff --git a/Workbench/midpoint_server/container_files/mp-home/post-initial-objects/resources/100-ldap-main.xml b/Workbench/midpoint_server/container_files/mp-home/post-initial-objects/resources/100-ldap-main.xml
index f3a4892..0a84e3c 100644
--- a/Workbench/midpoint_server/container_files/mp-home/post-initial-objects/resources/100-ldap-main.xml
+++ b/Workbench/midpoint_server/container_files/mp-home/post-initial-objects/resources/100-ldap-main.xml
@@ -61,6 +61,7 @@
 		<generationConstraints>
 			<generateObjectClass>ri:inetOrgPerson</generateObjectClass>
 			<generateObjectClass>ri:eduPerson</generateObjectClass>
+			<generateObjectClass>ri:eduMember</generateObjectClass>
             <generateObjectClass>ri:incwbPerson</generateObjectClass>
 			<generateObjectClass>ri:organizationalPerson</generateObjectClass>
 			<generateObjectClass>ri:person</generateObjectClass>
@@ -77,6 +78,7 @@
 			<default>true</default>
 			<objectClass>ri:inetOrgPerson</objectClass>
 			<auxiliaryObjectClass>ri:eduPerson</auxiliaryObjectClass>
+			<auxiliaryObjectClass>ri:eduMember</auxiliaryObjectClass>
 			<auxiliaryObjectClass>ri:incwbPerson</auxiliaryObjectClass>
 			<attribute>
 				<ref>ri:dn</ref>
@@ -249,6 +251,15 @@
                 <direction>objectToSubject</direction>
                 <associationAttribute>ri:uniqueMember</associationAttribute>
                 <valueAttribute>ri:dn</valueAttribute>
+            </association>
+			<association>
+                <ref>ri:isMemberOfAssociation</ref>
+                <tolerant>false</tolerant>
+                <kind>entitlement</kind>
+                <intent>group</intent>
+                <direction>subjectToObject</direction>
+                <associationAttribute>ri:isMemberOf</associationAttribute>
+                <valueAttribute>ri:cn</valueAttribute>
             </association>
 			<protected>
 				<filter>
@@ -303,6 +314,7 @@
             <attribute>
                 <ref>ri:cn</ref>
                 <matchingRule>mr:stringIgnoreCase</matchingRule>
+				<secondaryIdentifier>true</secondaryIdentifier>
                 <outbound>
                     <strength>weak</strength>
                     <source>
diff --git a/Workbench/midpoint_server/container_files/mp-home/post-initial-objects/roles/200-metarole-ldap-group.xml b/Workbench/midpoint_server/container_files/mp-home/post-initial-objects/roles/200-metarole-ldap-group.xml
index 91bf370..dc52597 100644
--- a/Workbench/midpoint_server/container_files/mp-home/post-initial-objects/roles/200-metarole-ldap-group.xml
+++ b/Workbench/midpoint_server/container_files/mp-home/post-initial-objects/roles/200-metarole-ldap-group.xml
@@ -121,6 +121,20 @@
                         </associationFromLink>
                     </expression>
                 </outbound>
+            </association>
+			<association>
+                <ref>ri:isMemberOfAssociation</ref>
+                <outbound>
+                    <expression>
+                        <associationFromLink>
+                            <projectionDiscriminator>
+                                <kind>entitlement</kind>
+                                <intent>group</intent>
+                            </projectionDiscriminator>
+                            <assignmentPathIndex>1</assignmentPathIndex>
+                        </associationFromLink>
+                    </expression>
+                </outbound>
             </association>
         </construction>
         <order>3</order>        <!--  order=3 means the user object; user has an assignment to the org: user->org->archetype->metarole -->