diff --git a/config/config-sample.ini b/config/config-sample.ini
index 5280630..7e400c0 100644
--- a/config/config-sample.ini
+++ b/config/config-sample.ini
@@ -85,6 +85,10 @@ starttls = 0
 dn_user = "ou=users,dc=example,dc=com"
 ; LDAP subtree containing GROUP entries
 dn_group = "ou=groups,dc=example,dc=com"
+; Set to 1 if the LDAP library should process referrals. In most cases this
+; is not needed, and for AD servers it can cause errors when querying the
+; whole tree.
+follow_referrals = 0
 
 ; Leave bind_dn empty if binding is not required
 bind_dn =
diff --git a/core.php b/core.php
index 660bf27..618c15b 100644
--- a/core.php
+++ b/core.php
@@ -35,7 +35,10 @@ require('routes.php');
 require('ldap.php');
 require('email.php');
 
-$ldap = new LDAP($config['ldap']['host'], $config['ldap']['starttls'], $config['ldap']['bind_dn'], $config['ldap']['bind_password']);
+$ldap_options = array();
+$ldap_options[LDAP_OPT_PROTOCOL_VERSION] = 3;
+$ldap_options[LDAP_OPT_REFERRALS] = !empty($config['ldap']['follow_referrals']);
+$ldap = new LDAP($config['ldap']['host'], $config['ldap']['starttls'], $config['ldap']['bind_dn'], $config['ldap']['bind_password'], $ldap_options);
 setup_database();
 
 $relative_frontend_base_url = (string)parse_url($config['web']['baseurl'], PHP_URL_PATH);
diff --git a/ldap.php b/ldap.php
index 6cc38bd..8b9d0f1 100644
--- a/ldap.php
+++ b/ldap.php
@@ -21,13 +21,15 @@ class LDAP {
 	private $starttls;
 	private $bind_dn;
 	private $bind_password;
+	private $options;
 
-	public function __construct($host, $starttls, $bind_dn, $bind_password) {
+	public function __construct($host, $starttls, $bind_dn, $bind_password, $options) {
 		$this->conn = null;
 		$this->host = $host;
 		$this->starttls = $starttls;
 		$this->bind_dn = $bind_dn;
 		$this->bind_password = $bind_password;
+		$this->options = $options;
 	}
 
 	private function connect() {
@@ -36,8 +38,10 @@ class LDAP {
 		if($this->starttls) {
 			if(!ldap_start_tls($this->conn)) throw new LDAPConnectionFailureException('Could not initiate TLS connection to LDAP server');
 		}
+		foreach($this->options as $option => $value) {
+			ldap_set_option($this->conn, $option, $value);
+		}
 		if(!empty($this->bind_dn)) {
-			ldap_set_option($this->conn, LDAP_OPT_PROTOCOL_VERSION, 3);
 			if(!ldap_bind($this->conn, $this->bind_dn, $this->bind_password)) throw new LDAPConnectionFailureException('Could not bind to LDAP server');
 		}
 	}