diff --git a/lib/cli/auth-ldap/index.js b/lib/cli/auth-ldap/index.js
index 4788862a..55a6230b 100644
--- a/lib/cli/auth-ldap/index.js
+++ b/lib/cli/auth-ldap/index.js
@@ -44,6 +44,11 @@ module.exports.builder = function(yargs) {
     , type: 'string'
     , default: process.env.LDAP_SEARCH_SCOPE || 'sub'
     })
+    .option('ldap-search-filter', {
+      describe: 'LDAP search filter.'
+    , type: 'string'
+    , default: process.env.LDAP_SEARCH_FILTER
+    })
     .option('ldap-timeout', {
       alias: 't'
     , describe: 'LDAP timeout.'
@@ -110,6 +115,7 @@ module.exports.handler = function(argv) {
       , scope: argv.ldapSearchScope
       , objectClass: argv.ldapSearchClass
       , field: argv.ldapSearchField
+      , filter: argv.ldapSearchFilter
       }
     , username: {
         field: argv.ldapUsernameField
diff --git a/lib/util/ldaputil.js b/lib/util/ldaputil.js
index 36b9bc2e..1e38c33f 100644
--- a/lib/util/ldaputil.js
+++ b/lib/util/ldaputil.js
@@ -60,6 +60,11 @@ module.exports.login = function(options, username, password) {
           })
         }
 
+    if (typeof options.search.filter !== 'undefined') {
+      var parsedFilter = ldap.parseFilter(options.search.filter)
+      query.filter.filters.push(parsedFilter)
+    }
+
     client.search(options.search.dn, query, function(err, search) {
       if (err) {
         return resolver.reject(err)