As mentioned before, the relationship support of the LDAP Identity Store is limited. But you can always map the most common relationships such as Grant and GroupMembership

​.ldap()
​  .mapping(Grant.class)
​    .forMapping(Role.class)
​      .attribute("assignee", "member"))

When mapping a relationship type you need to configure which identity type is the owner of a relationship. For example, when mapping a Grant relationship, the LDAP attribute used to map the association between a role and other types is the member attribute. This attribute belongs to role entries on the LDAP server, what makes the Role type the owner of this relationship. For last, we need to tell which property on the Grant type is related with the associated entries. In the case of the Grant relationship, we're configuring the assignee property to store the associated type instances.