diff --git a/modules/ldap/docs/ldap.txt b/modules/ldap/docs/ldap.txt
index c19141e14c53c8e99caa346394081f5b56dbdc90..f24dc8b58e476475178f5efc719cb555aff8a949 100644
--- a/modules/ldap/docs/ldap.txt
+++ b/modules/ldap/docs/ldap.txt
@@ -249,6 +249,24 @@ specific configuration options:
 		 */
 		'attributes' => array('mail', 'jpegPhoto' => 'jpegphoto'),
 
+		/**
+		 * The attribute policy that defines what to do with attributes that are
+		 * already part of the attributes of the user. Can be one of:
+		 *
+		 * - add: blindly add the values. If the attribute already exists and has
+		 * the same value, the result of the filter will be two equal values.
+		 *
+		 * - merge: carefully merge the values. If a value is already part of
+		 * the attribute, do not add a duplicate.
+		 *
+		 * - replace: if the attribute is present before running the filter,
+		 * replace its values with the ones obtained at this point.
+		 *
+		 * Default: merge
+		 * Required: No
+		 */
+		'attribute.policy' => 'merge',
+
 		/**
 		 * The search filter to find the user in LDAP.
 		 *
diff --git a/modules/ldap/lib/Auth/Process/AttributeAddFromLDAP.php b/modules/ldap/lib/Auth/Process/AttributeAddFromLDAP.php
index 4f0b412d4e647662db8cb9766f3b040e25bc44bf..4a311b86f0ea8d28d620c1a29efc002ab14b0364 100644
--- a/modules/ldap/lib/Auth/Process/AttributeAddFromLDAP.php
+++ b/modules/ldap/lib/Auth/Process/AttributeAddFromLDAP.php
@@ -48,6 +48,13 @@ class sspmod_ldap_Auth_Process_AttributeAddFromLDAP extends sspmod_ldap_Auth_Pro
     protected $search_filter;
 
 
+    /**
+     * What to do with attributes when the target already exists. Either replace, merge or add.
+     *
+     * @var string
+     */
+    protected $attr_policy;
+
     /**
      * Initialize this filter.
      *
@@ -114,6 +121,9 @@ class sspmod_ldap_Auth_Process_AttributeAddFromLDAP extends sspmod_ldap_Auth_Pro
             $this->search_attributes[$new_attribute] = $this->config->getString('search.attribute');
         }
         $this->search_filter    = $this->config->getString('search.filter');
+
+        // get the attribute policy
+        $this->attr_policy = $this->config->getString('attribute.policy', 'merge');
     }
 
 
@@ -145,11 +155,17 @@ class sspmod_ldap_Auth_Process_AttributeAddFromLDAP extends sspmod_ldap_Auth_Pro
         $filter = str_replace($arrSearch, $arrReplace, $this->search_filter);
 
         if (strpos($filter, '%') !== FALSE) {
-            SimpleSAML_Logger::info('There are non-existing attributes in the search filter. ('.
+            SimpleSAML_Logger::info('AttributeAddFromLDAP: There are non-existing attributes in the search filter. ('.
                                     $this->search_filter.')');
             return;
         }
 
+        if (!in_array($this->attr_policy, array('merge', 'replace', 'add'))) {
+            SimpleSAML_Logger::warning("AttributeAddFromLDAP: 'attribute.policy' must be one of 'merge',".
+                                       "'replace' or 'add'.");
+            return;
+        }
+
         // search for matching entries
         try {
             $entries = $this->getLdap()->searchformultiple($this->base_dn, $filter,
@@ -164,11 +180,23 @@ class sspmod_ldap_Auth_Process_AttributeAddFromLDAP extends sspmod_ldap_Auth_Pro
                 if (is_numeric($target)) {
                     $target = $name;
                 }
+
+                if (isset($attributes[$target]) && $this->attr_policy === 'replace') {
+                    unset($attributes[$target]);
+                }
                 $name = strtolower($name);
                 if (isset($entry[$name])) {
                     unset($entry[$name]['count']);
                     if (isset($attributes[$target])) {
-                        $attributes[$target] = array_merge($attributes[$target], array_values($entry[$name]));
+                        foreach(array_values($entry[$name]) as $value) {
+                            if ($this->attr_policy === 'merge') {
+                                if (!in_array($value, $attributes[$target])) {
+                                    $attributes[$target][] = $value;
+                                }
+                            } else {
+                                $attributes[$target][] = $value;
+                            }
+                        }
                     } else {
                         $attributes[$target] = array_values($entry[$name]);
                     }