diff --git a/src/internal/adapters/lldap/config.go b/src/internal/adapters/lldap/config.go
index bb2b60b..8e91fe3 100644
--- a/src/internal/adapters/lldap/config.go
+++ b/src/internal/adapters/lldap/config.go
@@ -6,26 +6,26 @@ package lldap
 // Config holds all connection parameters for the LLDAP adapter.
 type Config struct {
 	// URL is the LDAP server address, e.g. "ldap://lldap:389" or "ldaps://lldap:636".
-	URL string
+	URL string `yaml:"url"`
 
 	// BindDN is the distinguished name used for the service account bind,
 	// e.g. "cn=admin,dc=netkingdom,dc=local".
-	BindDN string
+	BindDN string `yaml:"bindDN"`
 
 	// BindPW is the service account password.
-	BindPW string
+	BindPW string `yaml:"bindPW"`
 
 	// BaseDN is the search base, e.g. "dc=netkingdom,dc=local".
-	BaseDN string
+	BaseDN string `yaml:"baseDN"`
 
 	// UserOU is the organisational unit for users. Defaults to "ou=users" when empty.
-	UserOU string
+	UserOU string `yaml:"userOU,omitempty"`
 
 	// GroupOU is the organisational unit for groups. Defaults to "ou=groups" when empty.
-	GroupOU string
+	GroupOU string `yaml:"groupOU,omitempty"`
 
 	// TLSSkipVerify disables TLS certificate verification. For development only.
-	TLSSkipVerify bool
+	TLSSkipVerify bool `yaml:"tlsSkipVerify,omitempty"`
 }
 
 // userOU returns the effective UserOU, falling back to the default.
diff --git a/src/internal/config/config_test.go b/src/internal/config/config_test.go
index f5afd2c..73060c1 100644
--- a/src/internal/config/config_test.go
+++ b/src/internal/config/config_test.go
@@ -161,6 +161,42 @@ clients:
 	}
 }
 
+func TestLoad_LLDAPOrganisationalUnits(t *testing.T) {
+	keyPath := writeTempFile(t, "placeholder-key")
+	yaml := `
+issuer: "https://kc.example.com"
+port: 8080
+tokenLifetime: "15m"
+privateKeyPem: "` + keyPath + `"
+environment: "dev"
+lldap:
+  url: "ldap://lldap.sso.svc.cluster.local:3890"
+  bindDN: "uid=admin,ou=people,dc=netkingdom,dc=local"
+  bindPW: "secret"
+  baseDN: "dc=netkingdom,dc=local"
+  userOU: "ou=people"
+  groupOU: "ou=groups"
+clients:
+  - clientId: "netkingdom-bootstrap-console"
+    displayName: "NetKingdom Bootstrap Console"
+    redirectUris:
+      - "http://127.0.0.1:8876/oidc/callback"
+    clientType: "public"
+`
+	cfgPath := writeTempFile(t, yaml)
+
+	cfg, err := config.Load(cfgPath)
+	if err != nil {
+		t.Fatalf("Load: unexpected error: %v", err)
+	}
+	if cfg.LLDAP.UserOU != "ou=people" {
+		t.Errorf("LLDAP.UserOU: got %q", cfg.LLDAP.UserOU)
+	}
+	if cfg.LLDAP.GroupOU != "ou=groups" {
+		t.Errorf("LLDAP.GroupOU: got %q", cfg.LLDAP.GroupOU)
+	}
+}
+
 func TestLoad_FileNotFound(t *testing.T) {
 	_, err := config.Load(filepath.Join(t.TempDir(), "nonexistent.yaml"))
 	if err == nil {