diff --git a/Workbench/directory/Dockerfile b/Workbench/directory/Dockerfile
index 3fc3b6e..85b4164 100644
--- a/Workbench/directory/Dockerfile
+++ b/Workbench/directory/Dockerfile
@@ -24,7 +24,8 @@ RUN useradd ldapadmin \
     && /usr/sbin/ns-slapd -D /etc/dirsrv/slapd-dir \
     && while ! curl -s ldap://localhost:389 > /dev/null; do echo waiting for ldap to start; sleep 1; done; \
     ldapadd -H ldap:/// -f /seed-data/data.ldif -x -D "cn=Directory Manager" -w password \
-    && ldapmodify -H ldap:/// -f /seed-data/incwbperson-obj.ldif -x -D "cn=Directory Manager" -w password
+    && ldapmodify -H ldap:/// -f /seed-data/incwbperson-obj.ldif -x -D "cn=Directory Manager" -w password \
+	&& ldapmodify -H ldap:/// -f /seed-data/edumember-obj.ldif -x -D "cn=Directory Manager" -w password
 
 EXPOSE 389 443
 
diff --git a/Workbench/directory/container_files/seed-data/edumember-obj.ldif b/Workbench/directory/container_files/seed-data/edumember-obj.ldif
new file mode 100644
index 0000000..38b287f
--- /dev/null
+++ b/Workbench/directory/container_files/seed-data/edumember-obj.ldif
@@ -0,0 +1,30 @@
+#
+# eduMember Objectclass
+#
+#
+# "eduMember" attributes
+#
+dn: cn=schema
+changetype: modify
+#
+add: attributetypes
+attributeTypes: ( 1.3.6.1.4.1.5923.1.5.1.1 
+ NAME 'isMemberOf' 
+ DESC 'identifiers for groups to which containing entity belongs' 
+ EQUALITY caseExactMatch 
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
+attributeTypes: ( 1.3.6.1.4.1.5923.1.5.1.2 
+ NAME 'hasMember' 
+ DESC 'identifiers for entities that are members of the group' 
+ EQUALITY caseExactMatch 
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
+-
+#
+add: objectclasses
+objectClasses: ( 1.3.6.1.4.1.5923.1.5.2 NAME 'eduMember' 
+ AUXILIARY 
+ MAY ( isMemberOf $ hasMember ) 
+ )
+#
+# end of LDIF
+#
diff --git a/Workbench/midpoint_server/container_files/mp-home/post-initial-objects/resources/100-ldap-main.xml b/Workbench/midpoint_server/container_files/mp-home/post-initial-objects/resources/100-ldap-main.xml
index f3a4892..0e7d770 100644
--- a/Workbench/midpoint_server/container_files/mp-home/post-initial-objects/resources/100-ldap-main.xml
+++ b/Workbench/midpoint_server/container_files/mp-home/post-initial-objects/resources/100-ldap-main.xml
@@ -61,6 +61,7 @@
 		<generationConstraints>
 			<generateObjectClass>ri:inetOrgPerson</generateObjectClass>
 			<generateObjectClass>ri:eduPerson</generateObjectClass>
+			<generateObjectClass>ri:eduMember</generateObjectClass>
             <generateObjectClass>ri:incwbPerson</generateObjectClass>
 			<generateObjectClass>ri:organizationalPerson</generateObjectClass>
 			<generateObjectClass>ri:person</generateObjectClass>
@@ -68,6 +69,1050 @@
 			<generateObjectClass>ri:groupOfNames</generateObjectClass>
 			<generateObjectClass>ri:organizationalUnit</generateObjectClass>
 		</generationConstraints>
+		<definition>
+            <xsd:schema xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:a="http://prism.evolveum.com/xml/ns/public/annotation-3" xmlns:ra="http://midpoint.evolveum.com/xml/ns/public/resource/annotation-3" xmlns:tns="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3" elementFormDefault="qualified" targetNamespace="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">
+                <xsd:import namespace="http://prism.evolveum.com/xml/ns/public/annotation-3"/>
+                <xsd:import namespace="http://midpoint.evolveum.com/xml/ns/public/resource/annotation-3"/>
+		        <xsd:complexType name="eduMember">
+                    <xsd:annotation>
+                        <xsd:appinfo>
+                            <ra:resourceObject/>
+                            <ra:identifier xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">ri:nsUniqueId</ra:identifier>
+                            <ra:secondaryIdentifier xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">ri:dn</ra:secondaryIdentifier>
+                            <ra:displayNameAttribute xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">ri:dn</ra:displayNameAttribute>
+                            <ra:namingAttribute xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">ri:dn</ra:namingAttribute>
+                            <ra:nativeObjectClass>eduMember</ra:nativeObjectClass>
+                            <ra:auxiliary>true</ra:auxiliary>
+                        </xsd:appinfo>
+                    </xsd:annotation>
+                    <xsd:sequence>
+                        <xsd:element maxOccurs="unbounded" minOccurs="0" name="nsAccountLock" type="xsd:string">
+                            <xsd:annotation>
+                                <xsd:appinfo>
+                                    <a:displayOrder>120</a:displayOrder>
+                                    <ra:nativeAttributeName>nsAccountLock</ra:nativeAttributeName>
+                                    <ra:frameworkAttributeName>nsAccountLock</ra:frameworkAttributeName>
+                                    <ra:returnedByDefault>false</ra:returnedByDefault>
+                                </xsd:appinfo>
+                            </xsd:annotation>
+                        </xsd:element>
+                        <xsd:element minOccurs="0" name="createTimestamp" type="xsd:dateTime">
+                            <xsd:annotation>
+                                <xsd:appinfo>
+                                    <a:displayOrder>130</a:displayOrder>
+                                    <a:access>read</a:access>
+                                    <ra:nativeAttributeName>createTimestamp</ra:nativeAttributeName>
+                                    <ra:frameworkAttributeName>createTimestamp</ra:frameworkAttributeName>
+                                    <ra:returnedByDefault>false</ra:returnedByDefault>
+                                </xsd:appinfo>
+                            </xsd:annotation>
+                        </xsd:element>
+                        <xsd:element maxOccurs="unbounded" minOccurs="0" name="memberOf" type="xsd:string">
+                            <xsd:annotation>
+                                <xsd:appinfo>
+                                    <a:displayOrder>140</a:displayOrder>
+                                    <a:matchingRule xmlns:qn973="http://prism.evolveum.com/xml/ns/public/matching-rule-3">qn973:distinguishedName</a:matchingRule>
+                                    <ra:nativeAttributeName>memberOf</ra:nativeAttributeName>
+                                    <ra:frameworkAttributeName>memberOf</ra:frameworkAttributeName>
+                                    <ra:returnedByDefault>false</ra:returnedByDefault>
+                                </xsd:appinfo>
+                            </xsd:annotation>
+                        </xsd:element>
+                        <xsd:element minOccurs="0" name="hasMember" type="xsd:string">
+                            <xsd:annotation>
+                                <xsd:appinfo>
+                                    <a:displayOrder>150</a:displayOrder>
+                                    <ra:nativeAttributeName>hasMember</ra:nativeAttributeName>
+                                    <ra:frameworkAttributeName>hasMember</ra:frameworkAttributeName>
+                                </xsd:appinfo>
+                            </xsd:annotation>
+                        </xsd:element>
+                        <xsd:element name="dn" type="xsd:string">
+                            <xsd:annotation>
+                                <xsd:appinfo>
+                                    <a:displayOrder>110</a:displayOrder>
+                                    <a:matchingRule xmlns:qn468="http://prism.evolveum.com/xml/ns/public/matching-rule-3">qn468:distinguishedName</a:matchingRule>
+                                    <ra:nativeAttributeName>dn</ra:nativeAttributeName>
+                                    <ra:frameworkAttributeName>__NAME__</ra:frameworkAttributeName>
+                                </xsd:appinfo>
+                            </xsd:annotation>
+                        </xsd:element>
+                        <xsd:element minOccurs="0" name="isMemberOf" type="xsd:string">
+                            <xsd:annotation>
+                                <xsd:appinfo>
+                                    <a:displayOrder>160</a:displayOrder>
+                                    <ra:nativeAttributeName>isMemberOf</ra:nativeAttributeName>
+                                    <ra:frameworkAttributeName>isMemberOf</ra:frameworkAttributeName>
+                                </xsd:appinfo>
+                            </xsd:annotation>
+                        </xsd:element>
+                        <xsd:element minOccurs="0" name="nsUniqueId" type="xsd:string">
+                            <xsd:annotation>
+                                <xsd:appinfo>
+                                    <a:displayOrder>100</a:displayOrder>
+                                    <a:access>read</a:access>
+                                    <ra:nativeAttributeName>nsUniqueId</ra:nativeAttributeName>
+                                    <ra:frameworkAttributeName>__UID__</ra:frameworkAttributeName>
+                                </xsd:appinfo>
+                            </xsd:annotation>
+                        </xsd:element>
+                    </xsd:sequence>
+                </xsd:complexType>
+				<xsd:complexType name="inetOrgPerson">
+                    <xsd:annotation>
+                        <xsd:appinfo>
+                            <ra:resourceObject/>
+                            <ra:identifier>ri:entryUUID</ra:identifier>
+                            <ra:secondaryIdentifier>ri:dn</ra:secondaryIdentifier>
+                            <ra:displayNameAttribute>ri:dn</ra:displayNameAttribute>
+                            <ra:namingAttribute>ri:dn</ra:namingAttribute>
+                            <ra:nativeObjectClass>inetOrgPerson</ra:nativeObjectClass>
+                        </xsd:appinfo>
+                    </xsd:annotation>
+                    <xsd:sequence>
+                        <xsd:element maxOccurs="unbounded" minOccurs="0" name="initials" type="xsd:string">
+                            <xsd:annotation>
+                                <xsd:appinfo>
+                                    <a:displayOrder>120</a:displayOrder>
+                                    <a:matchingRule xmlns:qn277="http://prism.evolveum.com/xml/ns/public/matching-rule-3">qn277:stringIgnoreCase</a:matchingRule>
+                                    <ra:nativeAttributeName>initials</ra:nativeAttributeName>
+                                    <ra:frameworkAttributeName>initials</ra:frameworkAttributeName>
+                                </xsd:appinfo>
+                            </xsd:annotation>
+                        </xsd:element>
+                        <xsd:element minOccurs="0" name="memberOf" type="xsd:string">
+                            <xsd:annotation>
+                                <xsd:appinfo>
+                                    <a:displayOrder>130</a:displayOrder>
+                                    <ra:nativeAttributeName>memberOf</ra:nativeAttributeName>
+                                    <ra:frameworkAttributeName>memberOf</ra:frameworkAttributeName>
+                                    <ra:returnedByDefault>false</ra:returnedByDefault>
+                                </xsd:appinfo>
+                            </xsd:annotation>
+                        </xsd:element>
+                        <xsd:element maxOccurs="unbounded" minOccurs="0" name="homePhone" type="xsd:string">
+                            <xsd:annotation>
+                                <xsd:appinfo>
+                                    <a:displayOrder>140</a:displayOrder>
+                                    <ra:nativeAttributeName>homePhone</ra:nativeAttributeName>
+                                    <ra:frameworkAttributeName>homePhone</ra:frameworkAttributeName>
+                                </xsd:appinfo>
+                            </xsd:annotation>
+                        </xsd:element>
+                        <xsd:element maxOccurs="unbounded" minOccurs="0" name="audio" type="xsd:base64Binary">
+                            <xsd:annotation>
+                                <xsd:appinfo>
+                                    <a:displayOrder>150</a:displayOrder>
+                                    <ra:nativeAttributeName>audio</ra:nativeAttributeName>
+                                    <ra:frameworkAttributeName>audio</ra:frameworkAttributeName>
+                                </xsd:appinfo>
+                            </xsd:annotation>
+                        </xsd:element>
+                        <xsd:element maxOccurs="unbounded" minOccurs="0" name="mail" type="xsd:string">
+                            <xsd:annotation>
+                                <xsd:appinfo>
+                                    <a:displayOrder>160</a:displayOrder>
+                                    <a:matchingRule xmlns:qn612="http://prism.evolveum.com/xml/ns/public/matching-rule-3">qn612:stringIgnoreCase</a:matchingRule>
+                                    <ra:nativeAttributeName>mail</ra:nativeAttributeName>
+                                    <ra:frameworkAttributeName>mail</ra:frameworkAttributeName>
+                                </xsd:appinfo>
+                            </xsd:annotation>
+                        </xsd:element>
+                        <xsd:element maxOccurs="unbounded" minOccurs="0" name="carLicense" type="xsd:string">
+                            <xsd:annotation>
+                                <xsd:appinfo>
+                                    <a:displayOrder>170</a:displayOrder>
+                                    <a:matchingRule xmlns:qn779="http://prism.evolveum.com/xml/ns/public/matching-rule-3">qn779:stringIgnoreCase</a:matchingRule>
+                                    <ra:nativeAttributeName>carLicense</ra:nativeAttributeName>
+                                    <ra:frameworkAttributeName>carLicense</ra:frameworkAttributeName>
+                                </xsd:appinfo>
+                            </xsd:annotation>
+                        </xsd:element>
+                        <xsd:element maxOccurs="unbounded" minOccurs="0" name="departmentNumber" type="xsd:string">
+                            <xsd:annotation>
+                                <xsd:appinfo>
+                                    <a:displayOrder>180</a:displayOrder>
+                                    <a:matchingRule xmlns:qn508="http://prism.evolveum.com/xml/ns/public/matching-rule-3">qn508:stringIgnoreCase</a:matchingRule>
+                                    <ra:nativeAttributeName>departmentNumber</ra:nativeAttributeName>
+                                    <ra:frameworkAttributeName>departmentNumber</ra:frameworkAttributeName>
+                                </xsd:appinfo>
+                            </xsd:annotation>
+                        </xsd:element>
+                        <xsd:element maxOccurs="unbounded" minOccurs="0" name="manager" type="xsd:string">
+                            <xsd:annotation>
+                                <xsd:appinfo>
+                                    <a:displayOrder>190</a:displayOrder>
+                                    <a:matchingRule xmlns:qn578="http://prism.evolveum.com/xml/ns/public/matching-rule-3">qn578:distinguishedName</a:matchingRule>
+                                    <ra:nativeAttributeName>manager</ra:nativeAttributeName>
+                                    <ra:frameworkAttributeName>manager</ra:frameworkAttributeName>
+                                </xsd:appinfo>
+                            </xsd:annotation>
+                        </xsd:element>
+                        <xsd:element maxOccurs="unbounded" minOccurs="0" name="businessCategory" type="xsd:string">
+                            <xsd:annotation>
+                                <xsd:appinfo>
+                                    <a:displayOrder>200</a:displayOrder>
+                                    <a:matchingRule xmlns:qn454="http://prism.evolveum.com/xml/ns/public/matching-rule-3">qn454:stringIgnoreCase</a:matchingRule>
+                                    <ra:nativeAttributeName>businessCategory</ra:nativeAttributeName>
+                                    <ra:frameworkAttributeName>businessCategory</ra:frameworkAttributeName>
+                                </xsd:appinfo>
+                            </xsd:annotation>
+                        </xsd:element>
+                        <xsd:element maxOccurs="unbounded" minOccurs="0" name="homePostalAddress" type="xsd:string">
+                            <xsd:annotation>
+                                <xsd:appinfo>
+                                    <a:displayOrder>210</a:displayOrder>
+                                    <ra:nativeAttributeName>homePostalAddress</ra:nativeAttributeName>
+                                    <ra:frameworkAttributeName>homePostalAddress</ra:frameworkAttributeName>
+                                </xsd:appinfo>
+                            </xsd:annotation>
+                        </xsd:element>
+                        <xsd:element maxOccurs="unbounded" minOccurs="0" name="secretary" type="xsd:string">
+                            <xsd:annotation>
+                                <xsd:appinfo>
+                                    <a:displayOrder>220</a:displayOrder>
+                                    <a:matchingRule xmlns:qn723="http://prism.evolveum.com/xml/ns/public/matching-rule-3">qn723:distinguishedName</a:matchingRule>
+                                    <ra:nativeAttributeName>secretary</ra:nativeAttributeName>
+                                    <ra:frameworkAttributeName>secretary</ra:frameworkAttributeName>
+                                </xsd:appinfo>
+                            </xsd:annotation>
+                        </xsd:element>
+                        <xsd:element maxOccurs="unbounded" minOccurs="0" name="photo" type="xsd:string">
+                            <xsd:annotation>
+                                <xsd:appinfo>
+                                    <a:displayOrder>230</a:displayOrder>
+                                    <ra:nativeAttributeName>photo</ra:nativeAttributeName>
+                                    <ra:frameworkAttributeName>photo</ra:frameworkAttributeName>
+                                </xsd:appinfo>
+                            </xsd:annotation>
+                        </xsd:element>
+                        <xsd:element maxOccurs="unbounded" minOccurs="0" name="labeledURI" type="xsd:string">
+                            <xsd:annotation>
+                                <xsd:appinfo>
+                                    <a:displayOrder>240</a:displayOrder>
+                                    <ra:nativeAttributeName>labeledURI</ra:nativeAttributeName>
+                                    <ra:frameworkAttributeName>labeledURI</ra:frameworkAttributeName>
+                                </xsd:appinfo>
+                            </xsd:annotation>
+                        </xsd:element>
+                        <xsd:element minOccurs="0" name="displayName" type="xsd:string">
+                            <xsd:annotation>
+                                <xsd:appinfo>
+                                    <a:displayOrder>250</a:displayOrder>
+                                    <a:matchingRule xmlns:qn735="http://prism.evolveum.com/xml/ns/public/matching-rule-3">qn735:stringIgnoreCase</a:matchingRule>
+                                    <ra:nativeAttributeName>displayName</ra:nativeAttributeName>
+                                    <ra:frameworkAttributeName>displayName</ra:frameworkAttributeName>
+                                </xsd:appinfo>
+                            </xsd:annotation>
+                        </xsd:element>
+                        <xsd:element maxOccurs="unbounded" minOccurs="0" name="pager" type="xsd:string">
+                            <xsd:annotation>
+                                <xsd:appinfo>
+                                    <a:displayOrder>260</a:displayOrder>
+                                    <ra:nativeAttributeName>pager</ra:nativeAttributeName>
+                                    <ra:frameworkAttributeName>pager</ra:frameworkAttributeName>
+                                </xsd:appinfo>
+                            </xsd:annotation>
+                        </xsd:element>
+                        <xsd:element maxOccurs="unbounded" minOccurs="0" name="roomNumber" type="xsd:string">
+                            <xsd:annotation>
+                                <xsd:appinfo>
+                                    <a:displayOrder>270</a:displayOrder>
+                                    <a:matchingRule xmlns:qn74="http://prism.evolveum.com/xml/ns/public/matching-rule-3">qn74:stringIgnoreCase</a:matchingRule>
+                                    <ra:nativeAttributeName>roomNumber</ra:nativeAttributeName>
+                                    <ra:frameworkAttributeName>roomNumber</ra:frameworkAttributeName>
+                                </xsd:appinfo>
+                            </xsd:annotation>
+                        </xsd:element>
+                        <xsd:element maxOccurs="unbounded" minOccurs="0" name="physicalDeliveryOfficeName" type="xsd:string">
+                            <xsd:annotation>
+                                <xsd:appinfo>
+                                    <a:displayOrder>280</a:displayOrder>
+                                    <a:matchingRule xmlns:qn272="http://prism.evolveum.com/xml/ns/public/matching-rule-3">qn272:stringIgnoreCase</a:matchingRule>
+                                    <ra:nativeAttributeName>physicalDeliveryOfficeName</ra:nativeAttributeName>
+                                    <ra:frameworkAttributeName>physicalDeliveryOfficeName</ra:frameworkAttributeName>
+                                </xsd:appinfo>
+                            </xsd:annotation>
+                        </xsd:element>
+                        <xsd:element maxOccurs="unbounded" minOccurs="0" name="uid" type="xsd:string">
+                            <xsd:annotation>
+                                <xsd:appinfo>
+                                    <a:displayOrder>290</a:displayOrder>
+                                    <a:matchingRule xmlns:qn301="http://prism.evolveum.com/xml/ns/public/matching-rule-3">qn301:stringIgnoreCase</a:matchingRule>
+                                    <ra:nativeAttributeName>uid</ra:nativeAttributeName>
+                                    <ra:frameworkAttributeName>uid</ra:frameworkAttributeName>
+                                </xsd:appinfo>
+                            </xsd:annotation>
+                        </xsd:element>
+                        <xsd:element maxOccurs="unbounded" minOccurs="0" name="seeAlso" type="xsd:string">
+                            <xsd:annotation>
+                                <xsd:appinfo>
+                                    <a:displayOrder>300</a:displayOrder>
+                                    <a:matchingRule xmlns:qn348="http://prism.evolveum.com/xml/ns/public/matching-rule-3">qn348:distinguishedName</a:matchingRule>
+                                    <ra:nativeAttributeName>seeAlso</ra:nativeAttributeName>
+                                    <ra:frameworkAttributeName>seeAlso</ra:frameworkAttributeName>
+                                </xsd:appinfo>
+                            </xsd:annotation>
+                        </xsd:element>
+                        <xsd:element maxOccurs="unbounded" minOccurs="0" name="destinationIndicator" type="xsd:string">
+                            <xsd:annotation>
+                                <xsd:appinfo>
+                                    <a:displayOrder>310</a:displayOrder>
+                                    <a:matchingRule xmlns:qn817="http://prism.evolveum.com/xml/ns/public/matching-rule-3">qn817:stringIgnoreCase</a:matchingRule>
+                                    <ra:nativeAttributeName>destinationIndicator</ra:nativeAttributeName>
+                                    <ra:frameworkAttributeName>destinationIndicator</ra:frameworkAttributeName>
+                                </xsd:appinfo>
+                            </xsd:annotation>
+                        </xsd:element>
+                        <xsd:element maxOccurs="unbounded" minOccurs="0" name="postalAddress" type="xsd:string">
+                            <xsd:annotation>
+                                <xsd:appinfo>
+                                    <a:displayOrder>320</a:displayOrder>
+                                    <ra:nativeAttributeName>postalAddress</ra:nativeAttributeName>
+                                    <ra:frameworkAttributeName>postalAddress</ra:frameworkAttributeName>
+                                </xsd:appinfo>
+                            </xsd:annotation>
+                        </xsd:element>
+                        <xsd:element minOccurs="0" name="preferredLanguage" type="xsd:string">
+                            <xsd:annotation>
+                                <xsd:appinfo>
+                                    <a:displayOrder>330</a:displayOrder>
+                                    <a:matchingRule xmlns:qn260="http://prism.evolveum.com/xml/ns/public/matching-rule-3">qn260:stringIgnoreCase</a:matchingRule>
+                                    <ra:nativeAttributeName>preferredLanguage</ra:nativeAttributeName>
+                                    <ra:frameworkAttributeName>preferredLanguage</ra:frameworkAttributeName>
+                                </xsd:appinfo>
+                            </xsd:annotation>
+                        </xsd:element>
+                        <xsd:element minOccurs="0" name="preferredDeliveryMethod" type="xsd:string">
+                            <xsd:annotation>
+                                <xsd:appinfo>
+                                    <a:displayOrder>340</a:displayOrder>
+                                    <ra:nativeAttributeName>preferredDeliveryMethod</ra:nativeAttributeName>
+                                    <ra:frameworkAttributeName>preferredDeliveryMethod</ra:frameworkAttributeName>
+                                </xsd:appinfo>
+                            </xsd:annotation>
+                        </xsd:element>
+                        <xsd:element maxOccurs="unbounded" minOccurs="0" name="facsimileTelephoneNumber" type="xsd:string">
+                            <xsd:annotation>
+                                <xsd:appinfo>
+                                    <a:displayOrder>350</a:displayOrder>
+                                    <ra:nativeAttributeName>facsimileTelephoneNumber</ra:nativeAttributeName>
+                                    <ra:frameworkAttributeName>facsimileTelephoneNumber</ra:frameworkAttributeName>
+                                </xsd:appinfo>
+                            </xsd:annotation>
+                        </xsd:element>
+                        <xsd:element maxOccurs="unbounded" minOccurs="0" name="employeeType" type="xsd:string">
+                            <xsd:annotation>
+                                <xsd:appinfo>
+                                    <a:displayOrder>360</a:displayOrder>
+                                    <a:matchingRule xmlns:qn847="http://prism.evolveum.com/xml/ns/public/matching-rule-3">qn847:stringIgnoreCase</a:matchingRule>
+                                    <ra:nativeAttributeName>employeeType</ra:nativeAttributeName>
+                                    <ra:frameworkAttributeName>employeeType</ra:frameworkAttributeName>
+                                </xsd:appinfo>
+                            </xsd:annotation>
+                        </xsd:element>
+                        <xsd:element maxOccurs="unbounded" minOccurs="0" name="internationaliSDNNumber" type="xsd:string">
+                            <xsd:annotation>
+                                <xsd:appinfo>
+                                    <a:displayOrder>370</a:displayOrder>
+                                    <ra:nativeAttributeName>internationaliSDNNumber</ra:nativeAttributeName>
+                                    <ra:frameworkAttributeName>internationaliSDNNumber</ra:frameworkAttributeName>
+                                </xsd:appinfo>
+                            </xsd:annotation>
+                        </xsd:element>
+                        <xsd:element maxOccurs="unbounded" minOccurs="0" name="postOfficeBox" type="xsd:string">
+                            <xsd:annotation>
+                                <xsd:appinfo>
+                                    <a:displayOrder>380</a:displayOrder>
+                                    <a:matchingRule xmlns:qn290="http://prism.evolveum.com/xml/ns/public/matching-rule-3">qn290:stringIgnoreCase</a:matchingRule>
+                                    <ra:nativeAttributeName>postOfficeBox</ra:nativeAttributeName>
+                                    <ra:frameworkAttributeName>postOfficeBox</ra:frameworkAttributeName>
+                                </xsd:appinfo>
+                            </xsd:annotation>
+                        </xsd:element>
+                        <xsd:element maxOccurs="unbounded" minOccurs="0" name="telephoneNumber" type="xsd:string">
+                            <xsd:annotation>
+                                <xsd:appinfo>
+                                    <a:displayOrder>390</a:displayOrder>
+                                    <ra:nativeAttributeName>telephoneNumber</ra:nativeAttributeName>
+                                    <ra:frameworkAttributeName>telephoneNumber</ra:frameworkAttributeName>
+                                </xsd:appinfo>
+                            </xsd:annotation>
+                        </xsd:element>
+                        <xsd:element maxOccurs="unbounded" minOccurs="0" name="l" type="xsd:string">
+                            <xsd:annotation>
+                                <xsd:appinfo>
+                                    <a:displayOrder>400</a:displayOrder>
+                                    <a:matchingRule xmlns:qn79="http://prism.evolveum.com/xml/ns/public/matching-rule-3">qn79:stringIgnoreCase</a:matchingRule>
+                                    <ra:nativeAttributeName>l</ra:nativeAttributeName>
+                                    <ra:frameworkAttributeName>l</ra:frameworkAttributeName>
+                                </xsd:appinfo>
+                            </xsd:annotation>
+                        </xsd:element>
+                        <xsd:element minOccurs="0" name="employeeNumber" type="xsd:string">
+                            <xsd:annotation>
+                                <xsd:appinfo>
+                                    <a:displayOrder>410</a:displayOrder>
+                                    <a:matchingRule xmlns:qn814="http://prism.evolveum.com/xml/ns/public/matching-rule-3">qn814:stringIgnoreCase</a:matchingRule>
+                                    <ra:nativeAttributeName>employeeNumber</ra:nativeAttributeName>
+                                    <ra:frameworkAttributeName>employeeNumber</ra:frameworkAttributeName>
+                                </xsd:appinfo>
+                            </xsd:annotation>
+                        </xsd:element>
+                        <xsd:element maxOccurs="unbounded" minOccurs="0" name="jpegPhoto" type="xsd:base64Binary">
+                            <xsd:annotation>
+                                <xsd:appinfo>
+                                    <a:displayOrder>420</a:displayOrder>
+                                    <ra:nativeAttributeName>jpegPhoto</ra:nativeAttributeName>
+                                    <ra:frameworkAttributeName>jpegPhoto</ra:frameworkAttributeName>
+                                </xsd:appinfo>
+                            </xsd:annotation>
+                        </xsd:element>
+                        <xsd:element maxOccurs="unbounded" minOccurs="0" name="o" type="xsd:string">
+                            <xsd:annotation>
+                                <xsd:appinfo>
+                                    <a:displayOrder>430</a:displayOrder>
+                                    <a:matchingRule xmlns:qn632="http://prism.evolveum.com/xml/ns/public/matching-rule-3">qn632:stringIgnoreCase</a:matchingRule>
+                                    <ra:nativeAttributeName>o</ra:nativeAttributeName>
+                                    <ra:frameworkAttributeName>o</ra:frameworkAttributeName>
+                                </xsd:appinfo>
+                            </xsd:annotation>
+                        </xsd:element>
+                        <xsd:element maxOccurs="unbounded" minOccurs="0" name="userPKCS12" type="xsd:base64Binary">
+                            <xsd:annotation>
+                                <xsd:appinfo>
+                                    <a:displayOrder>440</a:displayOrder>
+                                    <ra:nativeAttributeName>userPKCS12</ra:nativeAttributeName>
+                                    <ra:frameworkAttributeName>userPKCS12</ra:frameworkAttributeName>
+                                </xsd:appinfo>
+                            </xsd:annotation>
+                        </xsd:element>
+                        <xsd:element maxOccurs="unbounded" minOccurs="0" name="description" type="xsd:string">
+                            <xsd:annotation>
+                                <xsd:appinfo>
+                                    <a:displayOrder>450</a:displayOrder>
+                                    <a:matchingRule xmlns:qn773="http://prism.evolveum.com/xml/ns/public/matching-rule-3">qn773:stringIgnoreCase</a:matchingRule>
+                                    <ra:nativeAttributeName>description</ra:nativeAttributeName>
+                                    <ra:frameworkAttributeName>description</ra:frameworkAttributeName>
+                                </xsd:appinfo>
+                            </xsd:annotation>
+                        </xsd:element>
+                        <xsd:element name="dn" type="xsd:string">
+                            <xsd:annotation>
+                                <xsd:appinfo>
+                                    <a:displayOrder>110</a:displayOrder>
+                                    <a:matchingRule xmlns:qn855="http://prism.evolveum.com/xml/ns/public/matching-rule-3">qn855:distinguishedName</a:matchingRule>
+                                    <ra:nativeAttributeName>dn</ra:nativeAttributeName>
+                                    <ra:frameworkAttributeName>__NAME__</ra:frameworkAttributeName>
+                                </xsd:appinfo>
+                            </xsd:annotation>
+                        </xsd:element>
+                        <xsd:element maxOccurs="unbounded" name="sn" type="xsd:string">
+                            <xsd:annotation>
+                                <xsd:appinfo>
+                                    <a:displayOrder>460</a:displayOrder>
+                                    <a:matchingRule xmlns:qn824="http://prism.evolveum.com/xml/ns/public/matching-rule-3">qn824:stringIgnoreCase</a:matchingRule>
+                                    <ra:nativeAttributeName>sn</ra:nativeAttributeName>
+                                    <ra:frameworkAttributeName>sn</ra:frameworkAttributeName>
+                                </xsd:appinfo>
+                            </xsd:annotation>
+                        </xsd:element>
+                        <xsd:element maxOccurs="unbounded" minOccurs="0" name="givenName" type="xsd:string">
+                            <xsd:annotation>
+                                <xsd:appinfo>
+                                    <a:displayOrder>470</a:displayOrder>
+                                    <a:matchingRule xmlns:qn72="http://prism.evolveum.com/xml/ns/public/matching-rule-3">qn72:stringIgnoreCase</a:matchingRule>
+                                    <ra:nativeAttributeName>givenName</ra:nativeAttributeName>
+                                    <ra:frameworkAttributeName>givenName</ra:frameworkAttributeName>
+                                </xsd:appinfo>
+                            </xsd:annotation>
+                        </xsd:element>
+                        <xsd:element maxOccurs="unbounded" minOccurs="0" name="telexNumber" type="xsd:string">
+                            <xsd:annotation>
+                                <xsd:appinfo>
+                                    <a:displayOrder>480</a:displayOrder>
+                                    <ra:nativeAttributeName>telexNumber</ra:nativeAttributeName>
+                                    <ra:frameworkAttributeName>telexNumber</ra:frameworkAttributeName>
+                                </xsd:appinfo>
+                            </xsd:annotation>
+                        </xsd:element>
+                        <xsd:element maxOccurs="unbounded" minOccurs="0" name="postalCode" type="xsd:string">
+                            <xsd:annotation>
+                                <xsd:appinfo>
+                                    <a:displayOrder>490</a:displayOrder>
+                                    <a:matchingRule xmlns:qn503="http://prism.evolveum.com/xml/ns/public/matching-rule-3">qn503:stringIgnoreCase</a:matchingRule>
+                                    <ra:nativeAttributeName>postalCode</ra:nativeAttributeName>
+                                    <ra:frameworkAttributeName>postalCode</ra:frameworkAttributeName>
+                                </xsd:appinfo>
+                            </xsd:annotation>
+                        </xsd:element>
+                        <xsd:element minOccurs="0" name="createTimestamp" type="xsd:dateTime">
+                            <xsd:annotation>
+                                <xsd:appinfo>
+                                    <a:displayOrder>500</a:displayOrder>
+                                    <a:access>read</a:access>
+                                    <ra:nativeAttributeName>createTimestamp</ra:nativeAttributeName>
+                                    <ra:frameworkAttributeName>createTimestamp</ra:frameworkAttributeName>
+                                    <ra:returnedByDefault>false</ra:returnedByDefault>
+                                </xsd:appinfo>
+                            </xsd:annotation>
+                        </xsd:element>
+                        <xsd:element maxOccurs="unbounded" minOccurs="0" name="userSMIMECertificate" type="xsd:base64Binary">
+                            <xsd:annotation>
+                                <xsd:appinfo>
+                                    <a:displayOrder>510</a:displayOrder>
+                                    <ra:nativeAttributeName>userSMIMECertificate</ra:nativeAttributeName>
+                                    <ra:frameworkAttributeName>userSMIMECertificate</ra:frameworkAttributeName>
+                                </xsd:appinfo>
+                            </xsd:annotation>
+                        </xsd:element>
+                        <xsd:element maxOccurs="unbounded" minOccurs="0" name="userCertificate" type="xsd:base64Binary">
+                            <xsd:annotation>
+                                <xsd:appinfo>
+                                    <a:displayOrder>520</a:displayOrder>
+                                    <ra:nativeAttributeName>userCertificate</ra:nativeAttributeName>
+                                    <ra:frameworkAttributeName>userCertificate</ra:frameworkAttributeName>
+                                </xsd:appinfo>
+                            </xsd:annotation>
+                        </xsd:element>
+                        <xsd:element maxOccurs="unbounded" minOccurs="0" name="st" type="xsd:string">
+                            <xsd:annotation>
+                                <xsd:appinfo>
+                                    <a:displayOrder>530</a:displayOrder>
+                                    <a:matchingRule xmlns:qn417="http://prism.evolveum.com/xml/ns/public/matching-rule-3">qn417:stringIgnoreCase</a:matchingRule>
+                                    <ra:nativeAttributeName>st</ra:nativeAttributeName>
+                                    <ra:frameworkAttributeName>st</ra:frameworkAttributeName>
+                                </xsd:appinfo>
+                            </xsd:annotation>
+                        </xsd:element>
+                        <xsd:element maxOccurs="unbounded" minOccurs="0" name="teletexTerminalIdentifier" type="xsd:string">
+                            <xsd:annotation>
+                                <xsd:appinfo>
+                                    <a:displayOrder>540</a:displayOrder>
+                                    <ra:nativeAttributeName>teletexTerminalIdentifier</ra:nativeAttributeName>
+                                    <ra:frameworkAttributeName>teletexTerminalIdentifier</ra:frameworkAttributeName>
+                                </xsd:appinfo>
+                            </xsd:annotation>
+                        </xsd:element>
+                        <xsd:element maxOccurs="unbounded" minOccurs="0" name="ou" type="xsd:string">
+                            <xsd:annotation>
+                                <xsd:appinfo>
+                                    <a:displayOrder>550</a:displayOrder>
+                                    <a:matchingRule xmlns:qn682="http://prism.evolveum.com/xml/ns/public/matching-rule-3">qn682:stringIgnoreCase</a:matchingRule>
+                                    <ra:nativeAttributeName>ou</ra:nativeAttributeName>
+                                    <ra:frameworkAttributeName>ou</ra:frameworkAttributeName>
+                                </xsd:appinfo>
+                            </xsd:annotation>
+                        </xsd:element>
+                        <xsd:element maxOccurs="unbounded" minOccurs="0" name="street" type="xsd:string">
+                            <xsd:annotation>
+                                <xsd:appinfo>
+                                    <a:displayOrder>560</a:displayOrder>
+                                    <a:matchingRule xmlns:qn114="http://prism.evolveum.com/xml/ns/public/matching-rule-3">qn114:stringIgnoreCase</a:matchingRule>
+                                    <ra:nativeAttributeName>street</ra:nativeAttributeName>
+                                    <ra:frameworkAttributeName>street</ra:frameworkAttributeName>
+                                </xsd:appinfo>
+                            </xsd:annotation>
+                        </xsd:element>
+                        <xsd:element maxOccurs="unbounded" name="cn" type="xsd:string">
+                            <xsd:annotation>
+                                <xsd:appinfo>
+                                    <a:displayOrder>570</a:displayOrder>
+                                    <a:matchingRule xmlns:qn260="http://prism.evolveum.com/xml/ns/public/matching-rule-3">qn260:stringIgnoreCase</a:matchingRule>
+                                    <ra:nativeAttributeName>cn</ra:nativeAttributeName>
+                                    <ra:frameworkAttributeName>cn</ra:frameworkAttributeName>
+                                </xsd:appinfo>
+                            </xsd:annotation>
+                        </xsd:element>
+                        <xsd:element maxOccurs="unbounded" minOccurs="0" name="registeredAddress" type="xsd:string">
+                            <xsd:annotation>
+                                <xsd:appinfo>
+                                    <a:displayOrder>580</a:displayOrder>
+                                    <ra:nativeAttributeName>registeredAddress</ra:nativeAttributeName>
+                                    <ra:frameworkAttributeName>registeredAddress</ra:frameworkAttributeName>
+                                </xsd:appinfo>
+                            </xsd:annotation>
+                        </xsd:element>
+                        <xsd:element maxOccurs="unbounded" minOccurs="0" name="x121Address" type="xsd:string">
+                            <xsd:annotation>
+                                <xsd:appinfo>
+                                    <a:displayOrder>590</a:displayOrder>
+                                    <ra:nativeAttributeName>x121Address</ra:nativeAttributeName>
+                                    <ra:frameworkAttributeName>x121Address</ra:frameworkAttributeName>
+                                </xsd:appinfo>
+                            </xsd:annotation>
+                        </xsd:element>
+                        <xsd:element maxOccurs="unbounded" minOccurs="0" name="title" type="xsd:string">
+                            <xsd:annotation>
+                                <xsd:appinfo>
+                                    <a:displayOrder>600</a:displayOrder>
+                                    <a:matchingRule xmlns:qn103="http://prism.evolveum.com/xml/ns/public/matching-rule-3">qn103:stringIgnoreCase</a:matchingRule>
+                                    <ra:nativeAttributeName>title</ra:nativeAttributeName>
+                                    <ra:frameworkAttributeName>title</ra:frameworkAttributeName>
+                                </xsd:appinfo>
+                            </xsd:annotation>
+                        </xsd:element>
+                        <xsd:element maxOccurs="unbounded" minOccurs="0" name="x500UniqueIdentifier" type="xsd:base64Binary">
+                            <xsd:annotation>
+                                <xsd:appinfo>
+                                    <a:displayOrder>610</a:displayOrder>
+                                    <ra:nativeAttributeName>x500UniqueIdentifier</ra:nativeAttributeName>
+                                    <ra:frameworkAttributeName>x500UniqueIdentifier</ra:frameworkAttributeName>
+                                </xsd:appinfo>
+                            </xsd:annotation>
+                        </xsd:element>
+                        <xsd:element maxOccurs="unbounded" minOccurs="0" name="mobile" type="xsd:string">
+                            <xsd:annotation>
+                                <xsd:appinfo>
+                                    <a:displayOrder>620</a:displayOrder>
+                                    <ra:nativeAttributeName>mobile</ra:nativeAttributeName>
+                                    <ra:frameworkAttributeName>mobile</ra:frameworkAttributeName>
+                                </xsd:appinfo>
+                            </xsd:annotation>
+                        </xsd:element>
+                        <xsd:element minOccurs="0" name="entryUUID" type="xsd:string">
+                            <xsd:annotation>
+                                <xsd:appinfo>
+                                    <a:displayOrder>100</a:displayOrder>
+                                    <a:access>read</a:access>
+                                    <a:matchingRule xmlns:qn946="http://prism.evolveum.com/xml/ns/public/matching-rule-3">qn946:uuid</a:matchingRule>
+                                    <ra:nativeAttributeName>entryUUID</ra:nativeAttributeName>
+                                    <ra:frameworkAttributeName>__UID__</ra:frameworkAttributeName>
+                                </xsd:appinfo>
+                            </xsd:annotation>
+                        </xsd:element>
+                    </xsd:sequence>
+                </xsd:complexType>
+				<xsd:complexType name="groupOfUniqueNames">
+                    <xsd:annotation>
+                        <xsd:appinfo>
+                            <ra:resourceObject/>
+                            <ra:identifier>ri:entryUUID</ra:identifier>
+                            <ra:secondaryIdentifier>ri:dn</ra:secondaryIdentifier>
+                            <ra:displayNameAttribute>ri:dn</ra:displayNameAttribute>
+                            <ra:namingAttribute>ri:dn</ra:namingAttribute>
+                            <ra:nativeObjectClass>groupOfUniqueNames</ra:nativeObjectClass>
+                        </xsd:appinfo>
+                    </xsd:annotation>
+                    <xsd:sequence>
+                        <xsd:element minOccurs="0" name="createTimestamp" type="xsd:dateTime">
+                            <xsd:annotation>
+                                <xsd:appinfo>
+                                    <a:displayOrder>120</a:displayOrder>
+                                    <a:access>read</a:access>
+                                    <ra:nativeAttributeName>createTimestamp</ra:nativeAttributeName>
+                                    <ra:frameworkAttributeName>createTimestamp</ra:frameworkAttributeName>
+                                    <ra:returnedByDefault>false</ra:returnedByDefault>
+                                </xsd:appinfo>
+                            </xsd:annotation>
+                        </xsd:element>
+                        <xsd:element maxOccurs="unbounded" name="uniqueMember" type="xsd:string">
+                            <xsd:annotation>
+                                <xsd:appinfo>
+                                    <a:displayOrder>130</a:displayOrder>
+                                    <ra:nativeAttributeName>uniqueMember</ra:nativeAttributeName>
+                                    <ra:frameworkAttributeName>uniqueMember</ra:frameworkAttributeName>
+                                </xsd:appinfo>
+                            </xsd:annotation>
+                        </xsd:element>
+                        <xsd:element minOccurs="0" name="memberOf" type="xsd:string">
+                            <xsd:annotation>
+                                <xsd:appinfo>
+                                    <a:displayOrder>140</a:displayOrder>
+                                    <ra:nativeAttributeName>memberOf</ra:nativeAttributeName>
+                                    <ra:frameworkAttributeName>memberOf</ra:frameworkAttributeName>
+                                    <ra:returnedByDefault>false</ra:returnedByDefault>
+                                </xsd:appinfo>
+                            </xsd:annotation>
+                        </xsd:element>
+                        <xsd:element maxOccurs="unbounded" minOccurs="0" name="ou" type="xsd:string">
+                            <xsd:annotation>
+                                <xsd:appinfo>
+                                    <a:displayOrder>150</a:displayOrder>
+                                    <a:matchingRule xmlns:qn47="http://prism.evolveum.com/xml/ns/public/matching-rule-3">qn47:stringIgnoreCase</a:matchingRule>
+                                    <ra:nativeAttributeName>ou</ra:nativeAttributeName>
+                                    <ra:frameworkAttributeName>ou</ra:frameworkAttributeName>
+                                </xsd:appinfo>
+                            </xsd:annotation>
+                        </xsd:element>
+                        <xsd:element maxOccurs="unbounded" name="cn" type="xsd:string">
+                            <xsd:annotation>
+                                <xsd:appinfo>
+                                    <a:displayOrder>160</a:displayOrder>
+                                    <a:matchingRule xmlns:qn800="http://prism.evolveum.com/xml/ns/public/matching-rule-3">qn800:stringIgnoreCase</a:matchingRule>
+                                    <ra:nativeAttributeName>cn</ra:nativeAttributeName>
+                                    <ra:frameworkAttributeName>cn</ra:frameworkAttributeName>
+                                </xsd:appinfo>
+                            </xsd:annotation>
+                        </xsd:element>
+                        <xsd:element maxOccurs="unbounded" minOccurs="0" name="o" type="xsd:string">
+                            <xsd:annotation>
+                                <xsd:appinfo>
+                                    <a:displayOrder>170</a:displayOrder>
+                                    <a:matchingRule xmlns:qn573="http://prism.evolveum.com/xml/ns/public/matching-rule-3">qn573:stringIgnoreCase</a:matchingRule>
+                                    <ra:nativeAttributeName>o</ra:nativeAttributeName>
+                                    <ra:frameworkAttributeName>o</ra:frameworkAttributeName>
+                                </xsd:appinfo>
+                            </xsd:annotation>
+                        </xsd:element>
+                        <xsd:element maxOccurs="unbounded" minOccurs="0" name="owner" type="xsd:string">
+                            <xsd:annotation>
+                                <xsd:appinfo>
+                                    <a:displayOrder>180</a:displayOrder>
+                                    <a:matchingRule xmlns:qn389="http://prism.evolveum.com/xml/ns/public/matching-rule-3">qn389:distinguishedName</a:matchingRule>
+                                    <ra:nativeAttributeName>owner</ra:nativeAttributeName>
+                                    <ra:frameworkAttributeName>owner</ra:frameworkAttributeName>
+                                </xsd:appinfo>
+                            </xsd:annotation>
+                        </xsd:element>
+                        <xsd:element maxOccurs="unbounded" minOccurs="0" name="seeAlso" type="xsd:string">
+                            <xsd:annotation>
+                                <xsd:appinfo>
+                                    <a:displayOrder>190</a:displayOrder>
+                                    <a:matchingRule xmlns:qn748="http://prism.evolveum.com/xml/ns/public/matching-rule-3">qn748:distinguishedName</a:matchingRule>
+                                    <ra:nativeAttributeName>seeAlso</ra:nativeAttributeName>
+                                    <ra:frameworkAttributeName>seeAlso</ra:frameworkAttributeName>
+                                </xsd:appinfo>
+                            </xsd:annotation>
+                        </xsd:element>
+                        <xsd:element maxOccurs="unbounded" minOccurs="0" name="description" type="xsd:string">
+                            <xsd:annotation>
+                                <xsd:appinfo>
+                                    <a:displayOrder>200</a:displayOrder>
+                                    <a:matchingRule xmlns:qn447="http://prism.evolveum.com/xml/ns/public/matching-rule-3">qn447:stringIgnoreCase</a:matchingRule>
+                                    <ra:nativeAttributeName>description</ra:nativeAttributeName>
+                                    <ra:frameworkAttributeName>description</ra:frameworkAttributeName>
+                                </xsd:appinfo>
+                            </xsd:annotation>
+                        </xsd:element>
+                        <xsd:element maxOccurs="unbounded" minOccurs="0" name="businessCategory" type="xsd:string">
+                            <xsd:annotation>
+                                <xsd:appinfo>
+                                    <a:displayOrder>210</a:displayOrder>
+                                    <a:matchingRule xmlns:qn897="http://prism.evolveum.com/xml/ns/public/matching-rule-3">qn897:stringIgnoreCase</a:matchingRule>
+                                    <ra:nativeAttributeName>businessCategory</ra:nativeAttributeName>
+                                    <ra:frameworkAttributeName>businessCategory</ra:frameworkAttributeName>
+                                </xsd:appinfo>
+                            </xsd:annotation>
+                        </xsd:element>
+                        <xsd:element name="dn" type="xsd:string">
+                            <xsd:annotation>
+                                <xsd:appinfo>
+                                    <a:displayOrder>110</a:displayOrder>
+                                    <a:matchingRule xmlns:qn327="http://prism.evolveum.com/xml/ns/public/matching-rule-3">qn327:distinguishedName</a:matchingRule>
+                                    <ra:nativeAttributeName>dn</ra:nativeAttributeName>
+                                    <ra:frameworkAttributeName>__NAME__</ra:frameworkAttributeName>
+                                </xsd:appinfo>
+                            </xsd:annotation>
+                        </xsd:element>
+                        <xsd:element minOccurs="0" name="entryUUID" type="xsd:string">
+                            <xsd:annotation>
+                                <xsd:appinfo>
+                                    <a:displayOrder>100</a:displayOrder>
+                                    <a:access>read</a:access>
+                                    <a:matchingRule xmlns:qn35="http://prism.evolveum.com/xml/ns/public/matching-rule-3">qn35:uuid</a:matchingRule>
+                                    <ra:nativeAttributeName>entryUUID</ra:nativeAttributeName>
+                                    <ra:frameworkAttributeName>__UID__</ra:frameworkAttributeName>
+                                </xsd:appinfo>
+                            </xsd:annotation>
+                        </xsd:element>
+                    </xsd:sequence>
+                </xsd:complexType>
+				 <xsd:complexType name="eduPerson">
+                    <xsd:annotation>
+                        <xsd:appinfo>
+                            <ra:resourceObject/>
+                            <ra:identifier>ri:entryUUID</ra:identifier>
+                            <ra:secondaryIdentifier>ri:dn</ra:secondaryIdentifier>
+                            <ra:displayNameAttribute>ri:dn</ra:displayNameAttribute>
+                            <ra:namingAttribute>ri:dn</ra:namingAttribute>
+                            <ra:nativeObjectClass>eduPerson</ra:nativeObjectClass>
+                            <ra:auxiliary>true</ra:auxiliary>
+                        </xsd:appinfo>
+                    </xsd:annotation>
+                    <xsd:sequence>
+                        <xsd:element minOccurs="0" name="createTimestamp" type="xsd:dateTime">
+                            <xsd:annotation>
+                                <xsd:appinfo>
+                                    <a:displayOrder>120</a:displayOrder>
+                                    <a:access>read</a:access>
+                                    <ra:nativeAttributeName>createTimestamp</ra:nativeAttributeName>
+                                    <ra:frameworkAttributeName>createTimestamp</ra:frameworkAttributeName>
+                                    <ra:returnedByDefault>false</ra:returnedByDefault>
+                                </xsd:appinfo>
+                            </xsd:annotation>
+                        </xsd:element>
+                        <xsd:element maxOccurs="unbounded" minOccurs="0" name="eduPersonScopedAffiliation" type="xsd:string">
+                            <xsd:annotation>
+                                <xsd:appinfo>
+                                    <a:displayOrder>130</a:displayOrder>
+                                    <a:matchingRule xmlns:qn158="http://prism.evolveum.com/xml/ns/public/matching-rule-3">qn158:stringIgnoreCase</a:matchingRule>
+                                    <ra:nativeAttributeName>eduPersonScopedAffiliation</ra:nativeAttributeName>
+                                    <ra:frameworkAttributeName>eduPersonScopedAffiliation</ra:frameworkAttributeName>
+                                </xsd:appinfo>
+                            </xsd:annotation>
+                        </xsd:element>
+                        <xsd:element minOccurs="0" name="memberOf" type="xsd:string">
+                            <xsd:annotation>
+                                <xsd:appinfo>
+                                    <a:displayOrder>140</a:displayOrder>
+                                    <ra:nativeAttributeName>memberOf</ra:nativeAttributeName>
+                                    <ra:frameworkAttributeName>memberOf</ra:frameworkAttributeName>
+                                    <ra:returnedByDefault>false</ra:returnedByDefault>
+                                </xsd:appinfo>
+                            </xsd:annotation>
+                        </xsd:element>
+                        <xsd:element minOccurs="0" name="eduPersonPrimaryAffiliation" type="xsd:string">
+                            <xsd:annotation>
+                                <xsd:appinfo>
+                                    <a:displayOrder>150</a:displayOrder>
+                                    <a:matchingRule xmlns:qn631="http://prism.evolveum.com/xml/ns/public/matching-rule-3">qn631:stringIgnoreCase</a:matchingRule>
+                                    <ra:nativeAttributeName>eduPersonPrimaryAffiliation</ra:nativeAttributeName>
+                                    <ra:frameworkAttributeName>eduPersonPrimaryAffiliation</ra:frameworkAttributeName>
+                                </xsd:appinfo>
+                            </xsd:annotation>
+                        </xsd:element>
+                        <xsd:element minOccurs="0" name="eduPersonOrgDN" type="xsd:string">
+                            <xsd:annotation>
+                                <xsd:appinfo>
+                                    <a:displayOrder>160</a:displayOrder>
+                                    <a:matchingRule xmlns:qn676="http://prism.evolveum.com/xml/ns/public/matching-rule-3">qn676:distinguishedName</a:matchingRule>
+                                    <ra:nativeAttributeName>eduPersonOrgDN</ra:nativeAttributeName>
+                                    <ra:frameworkAttributeName>eduPersonOrgDN</ra:frameworkAttributeName>
+                                </xsd:appinfo>
+                            </xsd:annotation>
+                        </xsd:element>
+                        <xsd:element maxOccurs="unbounded" minOccurs="0" name="eduPersonOrgUnitDN" type="xsd:string">
+                            <xsd:annotation>
+                                <xsd:appinfo>
+                                    <a:displayOrder>170</a:displayOrder>
+                                    <a:matchingRule xmlns:qn444="http://prism.evolveum.com/xml/ns/public/matching-rule-3">qn444:distinguishedName</a:matchingRule>
+                                    <ra:nativeAttributeName>eduPersonOrgUnitDN</ra:nativeAttributeName>
+                                    <ra:frameworkAttributeName>eduPersonOrgUnitDN</ra:frameworkAttributeName>
+                                </xsd:appinfo>
+                            </xsd:annotation>
+                        </xsd:element>
+                        <xsd:element maxOccurs="unbounded" minOccurs="0" name="eduPersonAffiliation" type="xsd:string">
+                            <xsd:annotation>
+                                <xsd:appinfo>
+                                    <a:displayOrder>180</a:displayOrder>
+                                    <a:matchingRule xmlns:qn549="http://prism.evolveum.com/xml/ns/public/matching-rule-3">qn549:stringIgnoreCase</a:matchingRule>
+                                    <ra:nativeAttributeName>eduPersonAffiliation</ra:nativeAttributeName>
+                                    <ra:frameworkAttributeName>eduPersonAffiliation</ra:frameworkAttributeName>
+                                </xsd:appinfo>
+                            </xsd:annotation>
+                        </xsd:element>
+                        <xsd:element maxOccurs="unbounded" minOccurs="0" name="eduPersonPrincipalNamePrior" type="xsd:string">
+                            <xsd:annotation>
+                                <xsd:appinfo>
+                                    <a:displayOrder>190</a:displayOrder>
+                                    <a:matchingRule xmlns:qn371="http://prism.evolveum.com/xml/ns/public/matching-rule-3">qn371:stringIgnoreCase</a:matchingRule>
+                                    <ra:nativeAttributeName>eduPersonPrincipalNamePrior</ra:nativeAttributeName>
+                                    <ra:frameworkAttributeName>eduPersonPrincipalNamePrior</ra:frameworkAttributeName>
+                                </xsd:appinfo>
+                            </xsd:annotation>
+                        </xsd:element>
+                        <xsd:element maxOccurs="unbounded" minOccurs="0" name="eduPersonTargetedID" type="xsd:string">
+                            <xsd:annotation>
+                                <xsd:appinfo>
+                                    <a:displayOrder>200</a:displayOrder>
+                                    <a:matchingRule xmlns:qn469="http://prism.evolveum.com/xml/ns/public/matching-rule-3">qn469:stringIgnoreCase</a:matchingRule>
+                                    <ra:nativeAttributeName>eduPersonTargetedID</ra:nativeAttributeName>
+                                    <ra:frameworkAttributeName>eduPersonTargetedID</ra:frameworkAttributeName>
+                                </xsd:appinfo>
+                            </xsd:annotation>
+                        </xsd:element>
+                        <xsd:element maxOccurs="unbounded" minOccurs="0" name="eduPersonEntitlement" type="xsd:string">
+                            <xsd:annotation>
+                                <xsd:appinfo>
+                                    <a:displayOrder>210</a:displayOrder>
+                                    <ra:nativeAttributeName>eduPersonEntitlement</ra:nativeAttributeName>
+                                    <ra:frameworkAttributeName>eduPersonEntitlement</ra:frameworkAttributeName>
+                                </xsd:appinfo>
+                            </xsd:annotation>
+                        </xsd:element>
+                        <xsd:element maxOccurs="unbounded" minOccurs="0" name="eduPersonAssurance" type="xsd:string">
+                            <xsd:annotation>
+                                <xsd:appinfo>
+                                    <a:displayOrder>220</a:displayOrder>
+                                    <a:matchingRule xmlns:qn27="http://prism.evolveum.com/xml/ns/public/matching-rule-3">qn27:stringIgnoreCase</a:matchingRule>
+                                    <ra:nativeAttributeName>eduPersonAssurance</ra:nativeAttributeName>
+                                    <ra:frameworkAttributeName>eduPersonAssurance</ra:frameworkAttributeName>
+                                </xsd:appinfo>
+                            </xsd:annotation>
+                        </xsd:element>
+                        <xsd:element maxOccurs="unbounded" minOccurs="0" name="eduPersonNickname" type="xsd:string">
+                            <xsd:annotation>
+                                <xsd:appinfo>
+                                    <a:displayOrder>230</a:displayOrder>
+                                    <a:matchingRule xmlns:qn972="http://prism.evolveum.com/xml/ns/public/matching-rule-3">qn972:stringIgnoreCase</a:matchingRule>
+                                    <ra:nativeAttributeName>eduPersonNickname</ra:nativeAttributeName>
+                                    <ra:frameworkAttributeName>eduPersonNickname</ra:frameworkAttributeName>
+                                </xsd:appinfo>
+                            </xsd:annotation>
+                        </xsd:element>
+                        <xsd:element maxOccurs="unbounded" minOccurs="0" name="eduPersonOrcid" type="xsd:string">
+                            <xsd:annotation>
+                                <xsd:appinfo>
+                                    <a:displayOrder>240</a:displayOrder>
+                                    <a:matchingRule xmlns:qn626="http://prism.evolveum.com/xml/ns/public/matching-rule-3">qn626:stringIgnoreCase</a:matchingRule>
+                                    <ra:nativeAttributeName>eduPersonOrcid</ra:nativeAttributeName>
+                                    <ra:frameworkAttributeName>eduPersonOrcid</ra:frameworkAttributeName>
+                                </xsd:appinfo>
+                            </xsd:annotation>
+                        </xsd:element>
+                        <xsd:element minOccurs="0" name="eduPersonPrincipalName" type="xsd:string">
+                            <xsd:annotation>
+                                <xsd:appinfo>
+                                    <a:displayOrder>250</a:displayOrder>
+                                    <a:matchingRule xmlns:qn606="http://prism.evolveum.com/xml/ns/public/matching-rule-3">qn606:stringIgnoreCase</a:matchingRule>
+                                    <ra:nativeAttributeName>eduPersonPrincipalName</ra:nativeAttributeName>
+                                    <ra:frameworkAttributeName>eduPersonPrincipalName</ra:frameworkAttributeName>
+                                </xsd:appinfo>
+                            </xsd:annotation>
+                        </xsd:element>
+                        <xsd:element minOccurs="0" name="eduPersonPrimaryOrgUnitDN" type="xsd:string">
+                            <xsd:annotation>
+                                <xsd:appinfo>
+                                    <a:displayOrder>260</a:displayOrder>
+                                    <a:matchingRule xmlns:qn835="http://prism.evolveum.com/xml/ns/public/matching-rule-3">qn835:distinguishedName</a:matchingRule>
+                                    <ra:nativeAttributeName>eduPersonPrimaryOrgUnitDN</ra:nativeAttributeName>
+                                    <ra:frameworkAttributeName>eduPersonPrimaryOrgUnitDN</ra:frameworkAttributeName>
+                                </xsd:appinfo>
+                            </xsd:annotation>
+                        </xsd:element>
+                        <xsd:element name="dn" type="xsd:string">
+                            <xsd:annotation>
+                                <xsd:appinfo>
+                                    <a:displayOrder>110</a:displayOrder>
+                                    <a:matchingRule xmlns:qn348="http://prism.evolveum.com/xml/ns/public/matching-rule-3">qn348:distinguishedName</a:matchingRule>
+                                    <ra:nativeAttributeName>dn</ra:nativeAttributeName>
+                                    <ra:frameworkAttributeName>__NAME__</ra:frameworkAttributeName>
+                                </xsd:appinfo>
+                            </xsd:annotation>
+                        </xsd:element>
+                        <xsd:element maxOccurs="unbounded" minOccurs="0" name="eduPersonUniqueId" type="xsd:string">
+                            <xsd:annotation>
+                                <xsd:appinfo>
+                                    <a:displayOrder>270</a:displayOrder>
+                                    <a:matchingRule xmlns:qn319="http://prism.evolveum.com/xml/ns/public/matching-rule-3">qn319:stringIgnoreCase</a:matchingRule>
+                                    <ra:nativeAttributeName>eduPersonUniqueId</ra:nativeAttributeName>
+                                    <ra:frameworkAttributeName>eduPersonUniqueId</ra:frameworkAttributeName>
+                                </xsd:appinfo>
+                            </xsd:annotation>
+                        </xsd:element>
+                        <xsd:element minOccurs="0" name="entryUUID" type="xsd:string">
+                            <xsd:annotation>
+                                <xsd:appinfo>
+                                    <a:displayOrder>100</a:displayOrder>
+                                    <a:access>read</a:access>
+                                    <a:matchingRule xmlns:qn942="http://prism.evolveum.com/xml/ns/public/matching-rule-3">qn942:uuid</a:matchingRule>
+                                    <ra:nativeAttributeName>entryUUID</ra:nativeAttributeName>
+                                    <ra:frameworkAttributeName>__UID__</ra:frameworkAttributeName>
+                                </xsd:appinfo>
+                            </xsd:annotation>
+                        </xsd:element>
+                    </xsd:sequence>
+                </xsd:complexType>
+				<xsd:complexType name="incwbPerson">
+                    <xsd:annotation>
+                        <xsd:appinfo>
+                            <ra:resourceObject/>
+                            <ra:identifier xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">ri:nsUniqueId</ra:identifier>
+                            <ra:secondaryIdentifier xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">ri:dn</ra:secondaryIdentifier>
+                            <ra:displayNameAttribute xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">ri:dn</ra:displayNameAttribute>
+                            <ra:namingAttribute xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">ri:dn</ra:namingAttribute>
+                            <ra:nativeObjectClass>incwbPerson</ra:nativeObjectClass>
+                            <ra:auxiliary>true</ra:auxiliary>
+                        </xsd:appinfo>
+                    </xsd:annotation>
+                    <xsd:sequence>
+                        <xsd:element maxOccurs="unbounded" minOccurs="0" name="nsAccountLock" type="xsd:string">
+                            <xsd:annotation>
+                                <xsd:appinfo>
+                                    <a:displayOrder>120</a:displayOrder>
+                                    <ra:nativeAttributeName>nsAccountLock</ra:nativeAttributeName>
+                                    <ra:frameworkAttributeName>nsAccountLock</ra:frameworkAttributeName>
+                                    <ra:returnedByDefault>false</ra:returnedByDefault>
+                                </xsd:appinfo>
+                            </xsd:annotation>
+                        </xsd:element>
+                        <xsd:element minOccurs="0" name="createTimestamp" type="xsd:dateTime">
+                            <xsd:annotation>
+                                <xsd:appinfo>
+                                    <a:displayOrder>130</a:displayOrder>
+                                    <a:access>read</a:access>
+                                    <ra:nativeAttributeName>createTimestamp</ra:nativeAttributeName>
+                                    <ra:frameworkAttributeName>createTimestamp</ra:frameworkAttributeName>
+                                    <ra:returnedByDefault>false</ra:returnedByDefault>
+                                </xsd:appinfo>
+                            </xsd:annotation>
+                        </xsd:element>
+                        <xsd:element maxOccurs="unbounded" minOccurs="0" name="memberOf" type="xsd:string">
+                            <xsd:annotation>
+                                <xsd:appinfo>
+                                    <a:displayOrder>140</a:displayOrder>
+                                    <a:matchingRule xmlns:qn940="http://prism.evolveum.com/xml/ns/public/matching-rule-3">qn940:distinguishedName</a:matchingRule>
+                                    <ra:nativeAttributeName>memberOf</ra:nativeAttributeName>
+                                    <ra:frameworkAttributeName>memberOf</ra:frameworkAttributeName>
+                                    <ra:returnedByDefault>false</ra:returnedByDefault>
+                                </xsd:appinfo>
+                            </xsd:annotation>
+                        </xsd:element>
+                        <xsd:element minOccurs="0" name="incwbPersonEmployeeID" type="xsd:string">
+                            <xsd:annotation>
+                                <xsd:appinfo>
+                                    <a:displayOrder>150</a:displayOrder>
+                                    <a:matchingRule xmlns:qn491="http://prism.evolveum.com/xml/ns/public/matching-rule-3">qn491:stringIgnoreCase</a:matchingRule>
+                                    <ra:nativeAttributeName>incwbPersonEmployeeID</ra:nativeAttributeName>
+                                    <ra:frameworkAttributeName>incwbPersonEmployeeID</ra:frameworkAttributeName>
+                                </xsd:appinfo>
+                            </xsd:annotation>
+                        </xsd:element>
+                        <xsd:element minOccurs="0" name="incwbPersonStudentID" type="xsd:string">
+                            <xsd:annotation>
+                                <xsd:appinfo>
+                                    <a:displayOrder>160</a:displayOrder>
+                                    <a:matchingRule xmlns:qn200="http://prism.evolveum.com/xml/ns/public/matching-rule-3">qn200:stringIgnoreCase</a:matchingRule>
+                                    <ra:nativeAttributeName>incwbPersonStudentID</ra:nativeAttributeName>
+                                    <ra:frameworkAttributeName>incwbPersonStudentID</ra:frameworkAttributeName>
+                                </xsd:appinfo>
+                            </xsd:annotation>
+                        </xsd:element>
+                        <xsd:element minOccurs="0" name="incwbPersonGuestID" type="xsd:string">
+                            <xsd:annotation>
+                                <xsd:appinfo>
+                                    <a:displayOrder>170</a:displayOrder>
+                                    <a:matchingRule xmlns:qn405="http://prism.evolveum.com/xml/ns/public/matching-rule-3">qn405:stringIgnoreCase</a:matchingRule>
+                                    <ra:nativeAttributeName>incwbPersonGuestID</ra:nativeAttributeName>
+                                    <ra:frameworkAttributeName>incwbPersonGuestID</ra:frameworkAttributeName>
+                                </xsd:appinfo>
+                            </xsd:annotation>
+                        </xsd:element>
+                        <xsd:element name="dn" type="xsd:string">
+                            <xsd:annotation>
+                                <xsd:appinfo>
+                                    <a:displayOrder>110</a:displayOrder>
+                                    <a:matchingRule xmlns:qn965="http://prism.evolveum.com/xml/ns/public/matching-rule-3">qn965:distinguishedName</a:matchingRule>
+                                    <ra:nativeAttributeName>dn</ra:nativeAttributeName>
+                                    <ra:frameworkAttributeName>__NAME__</ra:frameworkAttributeName>
+                                </xsd:appinfo>
+                            </xsd:annotation>
+                        </xsd:element>
+                        <xsd:element minOccurs="0" name="nsUniqueId" type="xsd:string">
+                            <xsd:annotation>
+                                <xsd:appinfo>
+                                    <a:displayOrder>100</a:displayOrder>
+                                    <a:access>read</a:access>
+                                    <ra:nativeAttributeName>nsUniqueId</ra:nativeAttributeName>
+                                    <ra:frameworkAttributeName>__UID__</ra:frameworkAttributeName>
+                                </xsd:appinfo>
+                            </xsd:annotation>
+                        </xsd:element>
+                    </xsd:sequence>
+                </xsd:complexType>
+			</xsd:schema>
+        </definition>
 	</schema>
 
 	<schemaHandling>
@@ -77,6 +1122,7 @@
 			<default>true</default>
 			<objectClass>ri:inetOrgPerson</objectClass>
 			<auxiliaryObjectClass>ri:eduPerson</auxiliaryObjectClass>
+			<auxiliaryObjectClass>ri:eduMember</auxiliaryObjectClass>
 			<auxiliaryObjectClass>ri:incwbPerson</auxiliaryObjectClass>
 			<attribute>
 				<ref>ri:dn</ref>
@@ -249,6 +1295,15 @@
                 <direction>objectToSubject</direction>
                 <associationAttribute>ri:uniqueMember</associationAttribute>
                 <valueAttribute>ri:dn</valueAttribute>
+            </association>
+			<association>
+                <ref>ri:isMemberOfAssociation</ref>
+                <tolerant>false</tolerant>
+                <kind>entitlement</kind>
+                <intent>group</intent>
+                <direction>subjectToObject</direction>
+                <associationAttribute>ri:isMemberOf</associationAttribute>
+                <valueAttribute>ri:cn</valueAttribute>
             </association>
 			<protected>
 				<filter>
@@ -303,6 +1358,7 @@
             <attribute>
                 <ref>ri:cn</ref>
                 <matchingRule>mr:stringIgnoreCase</matchingRule>
+				<secondaryIdentifier>true</secondaryIdentifier>
                 <outbound>
                     <strength>weak</strength>
                     <source>
diff --git a/Workbench/midpoint_server/container_files/mp-home/post-initial-objects/roles/200-metarole-ldap-group.xml b/Workbench/midpoint_server/container_files/mp-home/post-initial-objects/roles/200-metarole-ldap-group.xml
index 91bf370..dc52597 100644
--- a/Workbench/midpoint_server/container_files/mp-home/post-initial-objects/roles/200-metarole-ldap-group.xml
+++ b/Workbench/midpoint_server/container_files/mp-home/post-initial-objects/roles/200-metarole-ldap-group.xml
@@ -121,6 +121,20 @@
                         </associationFromLink>
                     </expression>
                 </outbound>
+            </association>
+			<association>
+                <ref>ri:isMemberOfAssociation</ref>
+                <outbound>
+                    <expression>
+                        <associationFromLink>
+                            <projectionDiscriminator>
+                                <kind>entitlement</kind>
+                                <intent>group</intent>
+                            </projectionDiscriminator>
+                            <assignmentPathIndex>1</assignmentPathIndex>
+                        </associationFromLink>
+                    </expression>
+                </outbound>
             </association>
         </construction>
         <order>3</order>        <!--  order=3 means the user object; user has an assignment to the org: user->org->archetype->metarole -->