2 files changed, 10 insertions, 2 deletions

diff --git a/Bugzilla/Auth/LDAP.pm b/Bugzilla/Auth/LDAP.pm
index 179b5a2c5..c34c3698f 100644
--- a/Bugzilla/Auth/LDAP.pm
+++ b/Bugzilla/Auth/LDAP.pm
@@ -84,7 +84,7 @@ sub authenticate {
     # We've got our anonymous bind;  let's look up this user.
     $mesg = $LDAPconn->search( base   => Param("LDAPBaseDN"),
                                scope  => "sub",
-                               filter => Param("LDAPuidattribute") . "=$username",
+                               filter => '(&(' . Param("LDAPuidattribute") . "=$username)" . Param("LDAPfilter") . ')',
                                attrs  => ['dn'],
                              );
     return (AUTH_LOGINFAILED, undef, "lookup_failure")
@@ -102,7 +102,7 @@ sub authenticate {
     # mail attribute for this user.
     $mesg = $LDAPconn->search( base   => Param("LDAPBaseDN"),
                                scope  => "sub",
-                               filter => Param("LDAPuidattribute") . "=$username",
+                               filter => '(&(' . Param("LDAPuidattribute") . "=$username)" . Param("LDAPfilter") . ')',
                              );
     my $user_entry = $mesg->shift_entry if !$mesg->code && $mesg->count;
     if(!$user_entry || !$user_entry->exists(Param("LDAPmailattribute"))) {
diff --git a/defparams.pl b/defparams.pl
index 15232ad46..e2dcf7533 100644
--- a/defparams.pl
+++ b/defparams.pl
@@ -389,6 +389,14 @@ sub check_loginmethod {
   },
 
   {
+   name => 'LDAPfilter',
+   desc => 'LDAP filter to AND with the <tt>LDAPuidattribute</tt> for ' .
+           'filtering the list of valid users.',
+   type => 't',
+   default => '',
+  },
+
+  {
    name => 'loginmethod',
    desc => 'The type of login authentication to use:
             <dl>