diff --git a/config/config-sample.ini b/config/config-sample.ini
index 4a5d3c9..9cb256d 100644
--- a/config/config-sample.ini
+++ b/config/config-sample.ini
@@ -92,6 +92,8 @@ starttls = 0
 dn_user = "ou=users,dc=example,dc=com"
 ; LDAP subtree containing GROUP entries
 dn_group = "ou=groups,dc=example,dc=com"
+; (Optional) filter for matching user objects
+;user_filter = "(objectClass=inetOrgPerson)"
 ; Set to 1 if the LDAP library should process referrals. In most cases this
 ; is not needed, and for AD servers it can cause errors when querying the
 ; whole tree.
diff --git a/model/user.php b/model/user.php
index d9c7d07..564c45f 100644
--- a/model/user.php
+++ b/model/user.php
@@ -308,7 +308,12 @@ class User extends Entity {
 		if(isset($config['ldap']['user_active'])) {
 			$attributes[] = $config['ldap']['user_active'];
 		}
-		$ldapusers = $this->ldap->search($config['ldap']['dn_user'], LDAP::escape($config['ldap']['user_id']).'='.LDAP::escape($this->uid), array_keys(array_flip($attributes)));
+		if(isset($config['ldap']['user_filter'])) {
+			$user_filter = $config['ldap']['user_filter'];
+		} else {
+			$user_filter = '';
+		}
+		$ldapusers = $this->ldap->search($config['ldap']['dn_user'], '(&('.LDAP::escape($config['ldap']['user_id']).'='.LDAP::escape($this->uid).')'.$user_filter.')', array_keys(array_flip($attributes)));
 		if($ldapuser = reset($ldapusers)) {
 			$this->auth_realm = 'LDAP';
 			$this->uid = $ldapuser[strtolower($config['ldap']['user_id'])];