diff --git a/roles/web-app-keycloak/templates/import/components/org.keycloak.storage.UserStorageProvider.json.j2 b/roles/web-app-keycloak/templates/import/components/org.keycloak.storage.UserStorageProvider.json.j2
index 882b16e8..73b2715c 100644
--- a/roles/web-app-keycloak/templates/import/components/org.keycloak.storage.UserStorageProvider.json.j2
+++ b/roles/web-app-keycloak/templates/import/components/org.keycloak.storage.UserStorageProvider.json.j2
@@ -245,7 +245,7 @@
 
     {# Build objectClasses from structural + auxiliary definitions #}
     "userObjectClasses": [
-      "{{ (ldap.user.objects.structural + (ldap.user.objects.auxiliary | dict2items | map(attribute='value') | list)) | join(', ') }}"
+      {{ KEYCLOAK_LDAP_USER_OBJECT_CLASSES | trim | tojson }}
     ],
 
     "rdnLDAPAttribute": [ "{{ ldap.user.attributes.id }}" ],
diff --git a/roles/web-app-keycloak/vars/main.yml b/roles/web-app-keycloak/vars/main.yml
index 0680f04d..1ce46f1a 100644
--- a/roles/web-app-keycloak/vars/main.yml
+++ b/roles/web-app-keycloak/vars/main.yml
@@ -60,6 +60,15 @@ KEYCLOAK_LDAP_BIND_DN:              "{{ ldap.dn.administrator.data }}"
 KEYCLOAK_LDAP_BIND_PW:              "{{ ldap.bind_credential }}"
 KEYCLOAK_LDAP_URL:                  "{{ ldap.server.uri }}"
 
+# It's important to filter the posixAccount class out, because it is just used by ansible
+KEYCLOAK_LDAP_USER_OBJECT_CLASSES: >  
+  {{ 
+    (
+        (ldap.user.objects.structural | reject('equalto','posixAccount') | list)
+        + (ldap.user.objects.auxiliary | dict2items | map(attribute='value') | list)
+      ) | join(', ') 
+  }}
+
 ## API
 KEYCLOAK_MASTER_API_USER:           "{{ applications | get_app_conf(application_id, 'users.administrator') }}" # Master Administrator
 KEYCLOAK_MASTER_API_USER_NAME:      "{{ KEYCLOAK_MASTER_API_USER.username }}"                                  # Master Administrator Username