diff --git a/config-templates/authsources.php b/config-templates/authsources.php
index e0b7ff473a517f9f6fb8896bdc5474f8f76867f6..fd16d4cf434250e6935a4e25f2f36a860b1f0330 100644
--- a/config-templates/authsources.php
+++ b/config-templates/authsources.php
@@ -137,6 +137,23 @@ $config = array(
 		 */
 		'search.username' => NULL,
 		'search.password' => NULL,
+
+		/*
+		 * If the directory uses privilege separation,
+		 * the authenticated user may not be able to retrieve
+		 * all required attribures, a privileged entity is required
+		 * to get them. This is enabled with this option.
+		 */
+		'priv.read' => FALSE,
+
+		/*
+		 * The DN & password the simpleSAMLphp should bind to before
+		 * retrieving attributes. These options are required if
+		 * 'priv.read' is set to TRUE.
+		 */
+		'priv.username' => NULL,
+		'priv.password' => NULL,
+
 	),
 
 	/* Example of an LDAPMulti authentication source. */
diff --git a/modules/ldap/lib/ConfigHelper.php b/modules/ldap/lib/ConfigHelper.php
index daf6b3de22cfa915d62c3fab29ed6de6cb926890..b7b514e866f5632c1ffdc165a92ee2f0b3de5257 100644
--- a/modules/ldap/lib/ConfigHelper.php
+++ b/modules/ldap/lib/ConfigHelper.php
@@ -73,6 +73,23 @@ class sspmod_ldap_ConfigHelper {
 	private $attributes;
 
 
+	/**
+	 * The user cannot get all attributes, privileged reader required
+	 */
+	private $privRead;
+
+
+	/**
+	 * The DN we should bind with before we can get the attributes.
+	 */
+	private $privUsername;
+
+
+	/**
+	 * The password we should bind with before we can get the attributes.
+	 */
+	private $privPassword;
+
 
 	/**
 	 * Constructor for this configuration parser.
@@ -92,6 +109,7 @@ class sspmod_ldap_ConfigHelper {
 		$this->hostname = $config->getString('hostname');
 		$this->enableTLS = $config->getBoolean('enable_tls', FALSE);
 		$this->searchEnable = $config->getBoolean('search.enable', FALSE);
+		$this->privRead = $config->getBoolean('priv.read', FALSE);
 
 		if ($this->searchEnable) {
 			$this->searchUsername = $config->getString('search.username', NULL);
@@ -106,6 +124,12 @@ class sspmod_ldap_ConfigHelper {
 			$this->dnPattern = $config->getString('dnpattern');
 		}
 
+		/* Are privs needed to get to the attributes? */
+		if ($this->privRead) {
+			$this->privUsername = $config->getString('priv.username');
+			$this->privPassword = $config->getString('priv.password');
+		}
+
 		$this->attributes = $config->getArray('attributes', NULL);
 	}
 
@@ -149,6 +173,14 @@ class sspmod_ldap_ConfigHelper {
 			throw new SimpleSAML_Error_Error('WRONGUSERPASS');
 		}
 
+		/* Are privs needed to get the attributes? */
+		if ($this->privRead) {
+			/* Yes, rebind with privs */
+			if(!$ldap->bind($this->privUsername, $this->privPassword)) {
+				throw new Exception('Error authenticating using privileged DN & password.');
+			}
+		}
+
 		return $ldap->getAttributes($dn, $this->attributes);
 	}