Unable to map groups from Apache DS

I am attempting to support user federation with Apache DS where the user must be in Users or Administrators LDAP group. User login works just fine. However, the user shows as having no roles. I am able to import the groups so the LDAP Groups DN is correct. I compared all of the client settings with a server that uses Active Directory groups similarly to map to roles. Do I need to do something different with apache DS since it doesn’t have “memberOf” on users?

This is how my mapper is set up:

This is apache DS config.
image

hnelson has a “member” Users attribute in users but hnelson does not have any roles after login.

roles is empty:

        Collection<String> roles = token.getAccount().getRoles();

I discovered I was missing the mapping on the groups tab in keycloak. Even though the “sync” process created the groups they were not mapped to client or realm roles by clicking on the group.