Restrict keycloak login by LDAP group attribute


I need to be able to restrict keycloak logins to users that are members of a particular LDAP group. In AD, this should be fairly easy, because AD user records contain the group membership information. But group membership information is not present in OpenLDAP user records. So, how can I do this?