diff --git a/app/controllers/sessions_controller.rb b/app/controllers/sessions_controller.rb
index 33cfbf8a..2771cf5a 100644
--- a/app/controllers/sessions_controller.rb
+++ b/app/controllers/sessions_controller.rb
@@ -138,6 +138,7 @@ class SessionsController < ApplicationController
                                     'start_tls'
                                 end
     ldap_config[:base] = ENV['LDAP_BASE']
+    ldap_config[:filter] = ENV['LDAP_FILTER']
     ldap_config[:uid] = ENV['LDAP_UID']
 
     if params[:session][:username].blank? || session_params[:password].blank?
diff --git a/sample.env b/sample.env
index 668813c1..15dd119f 100644
--- a/sample.env
+++ b/sample.env
@@ -65,6 +65,7 @@ OAUTH2_REDIRECT=
 #   LDAP_BIND_DN=cn=admin,dc=example,dc=com
 #   LDAP_PASSWORD=password
 #   LDAP_ROLE_FIELD=ou
+#   LDAP_FILTER=(&(attr1=value1)(attr2=value2))
 LDAP_SERVER=
 LDAP_PORT=
 LDAP_METHOD=
@@ -74,6 +75,7 @@ LDAP_BIND_DN=
 LDAP_AUTH=
 LDAP_PASSWORD=
 LDAP_ROLE_FIELD=
+LDAP_FILTER=
 
 # Set this to true if you want GreenLight to support user signup and login without
 # Omniauth. For more information, see: