diff --git a/config-templates/authsources.php b/config-templates/authsources.php
index 4c3054d848a00e7d0e09573be3f2930f8ef8773c..1d44dc6d96c586b855fe6515fdf446b1c378037b 100644
--- a/config-templates/authsources.php
+++ b/config-templates/authsources.php
@@ -309,6 +309,9 @@ $config = array(
         // the array may match the value the username.
         'search.attributes' => array('uid', 'mail'),
 
+        // Additional LDAP filters appended to the search attributes
+        'search.filter' => '(objectclass=inetorgperson)',
+
         // The username & password the SimpleSAMLphp should bind to before searching. If
         // this is left as NULL, no bind will be performed before searching.
         'search.username' => NULL,
diff --git a/lib/SimpleSAML/Auth/LDAP.php b/lib/SimpleSAML/Auth/LDAP.php
index 794e84392e8dacd71102f34539506578df2ce7f3..986c3972201c6b63b6693e4dd9adb3fbb4f1bdae 100644
--- a/lib/SimpleSAML/Auth/LDAP.php
+++ b/lib/SimpleSAML/Auth/LDAP.php
@@ -202,7 +202,7 @@ class SimpleSAML_Auth_LDAP {
      * @throws SimpleSAML_Error_UserNotFound if:
      * - Zero entries was found
      */
-    private function search($base, $attribute, $value) {
+    private function search($base, $attribute, $value, $searchFilter=NULL) {
 
         // Create the search filter
         $attribute = self::escape_filter_value($attribute, FALSE);
@@ -213,6 +213,11 @@ class SimpleSAML_Auth_LDAP {
         }
         $filter = '(|' . $filter . ')';
 
+        // Append LDAP filters if defined
+        if ($searchFilter!=NULL) {
+            $filter = "(&".$filter."".$searchFilter.")";
+        }
+
         // Search using generated filter
         SimpleSAML_Logger::debug('Library - LDAP search(): Searching base \'' . $base . '\' for \'' . $filter . '\'');
         // TODO: Should aliases be dereferenced?
@@ -271,7 +276,7 @@ class SimpleSAML_Auth_LDAP {
      * - $allowZeroHits er TRUE and no result is found
      *
      */
-    public function searchfordn($base, $attribute, $value, $allowZeroHits = FALSE) {
+    public function searchfordn($base, $attribute, $value, $allowZeroHits = FALSE, $searchFilter = NULL) {
 
         // Traverse all search bases, returning DN if found
         $bases = SimpleSAML\Utils\Arrays::arrayize($base);
@@ -279,7 +284,8 @@ class SimpleSAML_Auth_LDAP {
         foreach ($bases AS $current) {
             try {
                 // Single base search
-                $result = $this->search($current, $attribute, $value);
+                $result = $this->search($current, $attribute, $value, $searchFilter);
+
                 // We don't hawe to look any futher if user is found
                 if (!empty($result)) {
                     return $result;
diff --git a/modules/ldap/docs/ldap.txt b/modules/ldap/docs/ldap.txt
index 4a6e957ed114c252944db77df48124d0e422825e..151db887678a2298b8334b3485288cdb0ce2453a 100644
--- a/modules/ldap/docs/ldap.txt
+++ b/modules/ldap/docs/ldap.txt
@@ -71,6 +71,14 @@ authentication source:
 		 */
 		'search.attributes' => array('uid', 'mail'),
 
+		/*
+		 * Additional filters that must match for the entire LDAP search to be TRUE
+		 *
+		 * This should be a single string conforming to (RFC 1960, 2544)
+		 * The string is appended to the search attributes
+		 */
+		'search.filter' => '(&(objectClass=Person)(|(sn=Doe)(cn=John *)))',
+
 		/*
 		 * The username & password where SimpleSAMLphp should bind to before searching. If
 		 * this is left NULL, no bind will be performed before searching.
@@ -103,6 +111,10 @@ options. The `search.base`-option must be the `dn` which should be used
 as the base/root of the search. The `search.attributes`-option is an
 array with attributes the username should be matched against.
 
+You can also append the `search.filter` option to further limit your search.
+The `search.filter` field is optional and need not be included in your
+configuration file.
+
 The `dnpattern` option will not be used if searching is enabled.
 
 Some LDAP servers may require authentication before a search can be
diff --git a/modules/ldap/lib/ConfigHelper.php b/modules/ldap/lib/ConfigHelper.php
index c39d1ddd178ae58b94c8f2ec550bb7e90379bbe4..ec6757ca19e3b7f9916daaac000edf588da468d3 100644
--- a/modules/ldap/lib/ConfigHelper.php
+++ b/modules/ldap/lib/ConfigHelper.php
@@ -81,6 +81,10 @@ class sspmod_ldap_ConfigHelper {
 	 */
 	private $searchBase;
 
+	/**
+	 * Additional LDAP filter fields for the search
+	 */
+	private $searchFilter;
 
 	/**
 	 * The attributes which should match the username.
@@ -149,6 +153,7 @@ class sspmod_ldap_ConfigHelper {
 			}
 
 			$this->searchBase = $config->getArrayizeString('search.base');
+			$this->searchFilter = $config->getString('search.filter',NULL);
 			$this->searchAttributes = $config->getArray('search.attributes');
 
 		} else {
@@ -197,7 +202,7 @@ class sspmod_ldap_ConfigHelper {
 				}
 			}
 
-			$dn = $ldap->searchfordn($this->searchBase, $this->searchAttributes, $username, TRUE);
+			$dn = $ldap->searchfordn($this->searchBase, $this->searchAttributes, $username, TRUE, $this->searchFilter);
 			if ($dn === NULL) {
 				/* User not found with search. */
 				SimpleSAML_Logger::info($this->location . ': Unable to find users DN. username=\'' . $username . '\'');