diff --git a/powerdnsadmin/models/setting.py b/powerdnsadmin/models/setting.py
index fba9a26..8d469da 100644
--- a/powerdnsadmin/models/setting.py
+++ b/powerdnsadmin/models/setting.py
@@ -42,7 +42,9 @@ class Setting(db.Model):
         'ldap_admin_username': '',
         'ldap_admin_password': '',
         'ldap_filter_basic': '',
+        'ldap_filter_group': '',
         'ldap_filter_username': '',
+        'ldap_filter_groupname': '',
         'ldap_sg_enabled': False,
         'ldap_admin_group': '',
         'ldap_operator_group': '',
diff --git a/powerdnsadmin/models/user.py b/powerdnsadmin/models/user.py
index e771bef..f061b7e 100644
--- a/powerdnsadmin/models/user.py
+++ b/powerdnsadmin/models/user.py
@@ -223,6 +223,8 @@ class User(db.Model):
             LDAP_BASE_DN = Setting().get('ldap_base_dn')
             LDAP_FILTER_BASIC = Setting().get('ldap_filter_basic')
             LDAP_FILTER_USERNAME = Setting().get('ldap_filter_username')
+            LDAP_FILTER_GROUP = Setting().get('ldap_filter_group')
+            LDAP_FILTER_GROUPNAME = Setting().get('ldap_filter_groupname')
             LDAP_ADMIN_GROUP = Setting().get('ldap_admin_group')
             LDAP_OPERATOR_GROUP = Setting().get('ldap_operator_group')
             LDAP_USER_GROUP = Setting().get('ldap_user_group')
@@ -269,21 +271,23 @@ class User(db.Model):
                     if LDAP_GROUP_SECURITY_ENABLED:
                         try:
                             if LDAP_TYPE == 'ldap':
-                                if (self.ldap_search(searchFilter,
+                                groupSearchFilter = "(&({0}={1}){2})".format(LDAP_FILTER_GROUPNAME, ldap_username, LDAP_FILTER_GROUP)
+                                logging.info('groupSearchFilter is {0}'.format(groupSearchFilter))
+                                if (self.ldap_search(groupSearchFilter,
                                                      LDAP_ADMIN_GROUP)):
                                     role_name = 'Administrator'
                                     current_app.logger.info(
                                         'User {0} is part of the "{1}" group that allows admin access to PowerDNS-Admin'
                                         .format(self.username,
                                                 LDAP_ADMIN_GROUP))
-                                elif (self.ldap_search(searchFilter,
+                                elif (self.ldap_search(groupSearchFilter,
                                                        LDAP_OPERATOR_GROUP)):
                                     role_name = 'Operator'
                                     current_app.logger.info(
                                         'User {0} is part of the "{1}" group that allows operator access to PowerDNS-Admin'
                                         .format(self.username,
                                                 LDAP_OPERATOR_GROUP))
-                                elif (self.ldap_search(searchFilter,
+                                elif (self.ldap_search(groupSearchFilter,
                                                        LDAP_USER_GROUP)):
                                     current_app.logger.info(
                                         'User {0} is part of the "{1}" group that allows user access to PowerDNS-Admin'
diff --git a/powerdnsadmin/routes/admin.py b/powerdnsadmin/routes/admin.py
index d892a29..ad37f81 100644
--- a/powerdnsadmin/routes/admin.py
+++ b/powerdnsadmin/routes/admin.py
@@ -651,8 +651,12 @@ def setting_authentication():
                               request.form.get('ldap_admin_password'))
                 Setting().set('ldap_filter_basic',
                               request.form.get('ldap_filter_basic'))
+                Setting().set('ldap_filter_group',
+                              request.form.get('ldap_filter_group'))
                 Setting().set('ldap_filter_username',
                               request.form.get('ldap_filter_username'))
+                Setting().set('ldap_filter_groupname',
+                              request.form.get('ldap_filter_groupname'))
                 Setting().set(
                     'ldap_sg_enabled', True
                     if request.form.get('ldap_sg_enabled') == 'ON' else False)
diff --git a/powerdnsadmin/templates/admin_setting_authentication.html b/powerdnsadmin/templates/admin_setting_authentication.html
index 53a9798..ffc0726 100644
--- a/powerdnsadmin/templates/admin_setting_authentication.html
+++ b/powerdnsadmin/templates/admin_setting_authentication.html
@@ -141,6 +141,16 @@
                                                     <input type="text" class="form-control" name="ldap_filter_username" id="ldap_filter_username" placeholder="e.g. uid" data-error="Please input field for username filtering" value="{{ SETTING.get('ldap_filter_username') }}">
                                                     <span class="help-block with-errors"></span>
                                                 </div>
+                                                <div class="form-group">
+                                                    <label for="ldap_filter_group">Group filter</label>
+                                                    <input type="text" class="form-control" name="ldap_filter_group" id="ldap_filter_group" placeholder="e.g. (objectclass=groupOfNames)" data-error="Please input LDAP filter" value="{{ SETTING.get('ldap_filter_group') }}">
+                                                    <span class="help-block with-errors"></span>
+                                                </div>
+                                                <div class="form-group">
+                                                    <label for="ldap_filter_groupname">Group name field</label>
+                                                    <input type="text" class="form-control" name="ldap_filter_groupname" id="ldap_filter_groupname" placeholder="e.g. member" data-error="Please input field for group name filtering" value="{{ SETTING.get('ldap_filter_groupname') }}">
+                                                    <span class="help-block with-errors"></span>
+                                                </div>
                                             </fieldset>
                                             <fieldset>
                                                 <legend>GROUP SECURITY</legend>
@@ -222,6 +232,12 @@
                                                     <li>
                                                         Username field - The field PDA will look for user's username. (e.g. <i>uid</i> for OpenLDAP and <i>sAMAccountName</i> for Active Directory)
                                                     </li>
+                                                    <li>
+                                                        Group filter - The filter that will be applied to all LDAP group queries by PDA. (e.g. <i>(objectClass=groupOfNames)</i> for OpenLDAP)
+                                                    </li>
+                                                    <li>
+                                                        Group name field - The field PDA will look for group names. (e.g. <i>member</i> for OpenLDAP)
+                                                    </li>
                                                 </ul>
                                             </dd>
                                             <dt>GROUP SECURITY</dt>
@@ -576,7 +592,9 @@
                 $('#ldap_domain').prop('required', true);
             }
             $('#ldap_filter_basic').prop('required', true);
+            $('#ldap_filter_group').prop('required', true);
             $('#ldap_filter_username').prop('required', true);
+            $('#ldap_filter_groupname').prop('required', true);
 
             if ($('#ldap_sg_on').is(":checked")) {
                 $('#ldap_admin_group').prop('required', true);
@@ -590,7 +608,9 @@
             $('#ldap_admin_username').prop('required', false);
             $('#ldap_admin_password').prop('required', false);
             $('#ldap_filter_basic').prop('required', false);
+            $('#ldap_filter_group').prop('required', false);
             $('#ldap_filter_username').prop('required', false);
+            $('#ldap_filter_groupname').prop('required', false);
 
             if ($('#ldap_sg_on').is(":checked")) {
                 $('#ldap_admin_group').prop('required', false);
@@ -640,7 +660,9 @@
             $('#ldap_domain').prop('required', true);
         }
         $('#ldap_filter_basic').prop('required', true);
+        $('#ldap_filter_group').prop('required', true);
         $('#ldap_filter_username').prop('required', true);
+        $('#ldap_filter_groupname').prop('required', true);
 
         if ($('#ldap_sg_on').is(":checked")) {
             $('#ldap_admin_group').prop('required', true);