diff --git a/app/models/user.rb b/app/models/user.rb
index ea42e0bec..b25d8bb14 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -44,8 +44,16 @@ def groups
   end
 
   # Roles to add depending on user's LDAP groups and ESSI configuration
+  # cache wrapper for ldap_roles_lookup
   def ldap_roles
-    mappings = ESSI.config.dig(:ldap, :group_roles) || {}
+    Rails.cache.fetch("ldap_roles-v1-#{cache_key_with_version}",
+                      expires_in: 1.hour, race_condition_ttl: 1.hour) do
+      ldap_roles_lookup
+    end
+  end
+
+  # Roles to add depending on user's LDAP groups and ESSI configuration
+  def ldap_roles_lookup(mappings: ESSI.config.dig(:ldap, :group_roles) || {})
     mappings.select { |role, groups| member_of_ldap_group?(groups) }.keys
   end
 
diff --git a/config/environments/test.rb b/config/environments/test.rb
index 420a9b752..374a76871 100644
--- a/config/environments/test.rb
+++ b/config/environments/test.rb
@@ -12,6 +12,9 @@
   # preloads Rails for running tests, you may have to set it to true.
   config.eager_load = true
 
+  # Disable cache storage during tests
+  config.cache_store = :memory_store
+
   # Configure public file server for tests with Cache-Control for performance.
   config.public_file_server.enabled = true
   config.public_file_server.headers = {
diff --git a/spec/models/user_spec.rb b/spec/models/user_spec.rb
index 73fb670e8..73f38af53 100644
--- a/spec/models/user_spec.rb
+++ b/spec/models/user_spec.rb
@@ -107,17 +107,29 @@
     end
   end
 
-  describe "#ldap_roles", :clean do
-    before do
-      groups1 = ['groupA', 'groupB']
-      groups2 = ['groupB', 'groupC']
-      allow(user).to receive(:member_of_ldap_group?).with(groups1).and_return(true)
-      allow(user).to receive(:member_of_ldap_group?).with(groups2).and_return(false)
-      allow(ESSI.config).to receive(:dig).with(:ldap, :group_roles).and_return({ roles[0].name => groups1, roles[1].name => groups2  })
-    end
-    it "returns ESSI-configured roles for the user's ldap_groups" do
-      expect(user.ldap_roles).to include roles[0].name
-      expect(user.ldap_roles).not_to include roles[1].name
+  shared_examples "ldap_role behavior" do |method|
+    describe "performs group lookup", :clean do
+      before do
+        Rails.cache.clear
+        groups1 = ['groupA', 'groupB']
+        groups2 = ['groupB', 'groupC']
+        allow(user).to receive(:member_of_ldap_group?).with(groups1).and_return(true)
+        allow(user).to receive(:member_of_ldap_group?).with(groups2).and_return(false)
+        allow(ESSI.config).to receive(:dig).with(:ldap, :group_roles).and_return({ roles[0].name => groups1, roles[1].name => groups2  })
+      end
+      it "returns ESSI-configured roles for the user's ldap_groups" do
+        results = user.send(method)
+        expect(results).to include roles[0].name
+        expect(results).not_to include roles[1].name
+      end
     end
   end
+
+  describe "#ldap_roles", :clean do
+    include_examples "ldap_role behavior", :ldap_roles
+  end
+
+  describe "#ldap_roles_lookup", :clean do
+    include_examples "ldap_role behavior", :ldap_roles_lookup
+  end
 end