diff --git a/config/config-sample.ini b/config/config-sample.ini
index 9cb256d..0f6d2d6 100644
--- a/config/config-sample.ini
+++ b/config/config-sample.ini
@@ -94,6 +94,9 @@ dn_user = "ou=users,dc=example,dc=com"
 dn_group = "ou=groups,dc=example,dc=com"
 ; (Optional) filter for matching user objects
 ;user_filter = "(objectClass=inetOrgPerson)"
+; (Optional) filter for matching group objects
+;group_filter = "(objectClass=posixGroup)"
+
 ; Set to 1 if the LDAP library should process referrals. In most cases this
 ; is not needed, and for AD servers it can cause errors when querying the
 ; whole tree.
diff --git a/model/user.php b/model/user.php
index 564c45f..a22393e 100644
--- a/model/user.php
+++ b/model/user.php
@@ -313,6 +313,11 @@ class User extends Entity {
 		} else {
 			$user_filter = '';
 		}
+		if(isset($config['ldap']['group_filter'])) {
+			$group_filter = $config['ldap']['group_filter'];
+		} else {
+			$group_filter = '';
+		}
 		$ldapusers = $this->ldap->search($config['ldap']['dn_user'], '(&('.LDAP::escape($config['ldap']['user_id']).'='.LDAP::escape($this->uid).')'.$user_filter.')', array_keys(array_flip($attributes)));
 		if($ldapuser = reset($ldapusers)) {
 			$this->auth_realm = 'LDAP';
@@ -330,7 +335,7 @@ class User extends Entity {
 				$this->active = 1;
 			}
 			$group_member = $ldapuser[strtolower($config['ldap']['group_member_value'])];
-			$ldapgroups = $this->ldap->search($config['ldap']['dn_group'], LDAP::escape($config['ldap']['group_member']).'='.LDAP::escape($group_member), array('cn'));
+			$ldapgroups = $this->ldap->search($config['ldap']['dn_group'], '(&('.LDAP::escape($config['ldap']['group_member']).'='.LDAP::escape($group_member).')'.$group_filter.')', array('cn'));
 			$memberships = array();
 			foreach($ldapgroups as $ldapgroup) {
 				$memberships[$ldapgroup['cn']] = true;