diff --git a/docker/bootstrap.ldif b/docker/bootstrap.ldif
index 55a7afdc..8ba64ec5 100644
--- a/docker/bootstrap.ldif
+++ b/docker/bootstrap.ldif
@@ -2,15 +2,19 @@ dn: ou=users,dc=mydomain,dc=tld
 objectclass: organizationalUnit
 ou: users
 
-dn: ou=clients,dc=mydomain,dc=tld
+dn: ou=oauth,dc=mydomain,dc=tld
 objectclass: organizationalUnit
 ou: clients
 
-dn: ou=tokens,dc=mydomain,dc=tld
+dn: ou=clients,ou=oauth,dc=mydomain,dc=tld
+objectclass: organizationalUnit
+ou: clients
+
+dn: ou=tokens,ou=oauth,dc=mydomain,dc=tld
 objectclass: organizationalUnit
 ou: tokens
 
-dn: ou=groups,dc=mydomain,dc=tld
+dn: ou=groups,ou=oauth,dc=mydomain,dc=tld
 objectclass: organizationalUnit
 ou: groups
 
diff --git a/oidc_ldap_bridge/ldaputils.py b/oidc_ldap_bridge/ldaputils.py
index c63298e3..16781b33 100644
--- a/oidc_ldap_bridge/ldaputils.py
+++ b/oidc_ldap_bridge/ldaputils.py
@@ -60,14 +60,21 @@ class LDAPObjectHelper:
         cls.ocs_by_name(conn)
         cls.attr_type_by_name(conn)
 
-        dn = f"{cls.base},{cls.root_dn}"
-        conn.add_s(
-            dn,
-            [
-                ("objectClass", [b"organizationalUnit"]),
-                ("ou", [cls.base.encode("utf-8")]),
-            ],
-        )
+        acc = ""
+        for organizationalUnit in cls.base.split(",")[::-1]:
+            v = organizationalUnit.split("=")[1]
+            dn = f"{organizationalUnit}{acc},{cls.root_dn}"
+            acc = f",{organizationalUnit}"
+            try:
+                conn.add_s(
+                    dn,
+                    [
+                        ("objectClass", [b"organizationalUnit"]),
+                        ("ou", [v.encode("utf-8")]),
+                    ],
+                )
+            except ldap.ALREADY_EXISTS:
+                pass
 
     @classmethod
     def ocs_by_name(cls, conn=None):
diff --git a/oidc_ldap_bridge/models.py b/oidc_ldap_bridge/models.py
index d3ff9f7b..c6d93f9e 100644
--- a/oidc_ldap_bridge/models.py
+++ b/oidc_ldap_bridge/models.py
@@ -70,7 +70,7 @@ class User(LDAPObjectHelper):
 
 class Client(LDAPObjectHelper, ClientMixin):
     objectClass = ["oauthClient"]
-    base = "ou=clients"
+    base = "ou=clients,ou=oauth"
     id = "oauthClientID"
 
     @property
@@ -139,7 +139,7 @@ class Client(LDAPObjectHelper, ClientMixin):
 
 class AuthorizationCode(LDAPObjectHelper, AuthorizationCodeMixin):
     objectClass = ["oauthAuthorizationCode"]
-    base = "ou=authorizations"
+    base = "ou=authorizations,ou=oauth"
     id = "oauthCode"
 
     @property
@@ -175,7 +175,7 @@ class AuthorizationCode(LDAPObjectHelper, AuthorizationCodeMixin):
 
 class Token(LDAPObjectHelper, TokenMixin):
     objectClass = ["oauthToken"]
-    base = "ou=tokens"
+    base = "ou=tokens,ou=oauth"
     id = "oauthAccessToken"
 
     @property