diff --git a/ee/lib/ee/gitlab/ldap/adapter.rb b/ee/lib/ee/gitlab/ldap/adapter.rb
index 8dd61dea4fa6cf96f0860ca2bc60546a4c2e4f7c..26e1c090c2050f1db32dae20f80b0fee83c68cca 100644
--- a/ee/lib/ee/gitlab/ldap/adapter.rb
+++ b/ee/lib/ee/gitlab/ldap/adapter.rb
@@ -16,7 +16,7 @@ module Adapter
         def groups(cn = "*", size = nil)
           options = {
             base: config.group_base,
-            filter: Net::LDAP::Filter.eq("cn", cn),
+            filter: group_filter(Net::LDAP::Filter.eq("cn", cn)),
             attributes: %w(dn cn memberuid member submember uniquemember memberof)
           }
 
@@ -52,6 +52,18 @@ def nested_groups(parent_dn)
             LDAP::Group.new(entry, self)
           end
         end
+
+        def group_filter(filter = nil)
+          group_filter = config.constructed_group_filter if config.group_filter.present?
+
+          if group_filter && filter
+            Net::LDAP::Filter.join(filter, group_filter)
+          elsif group_filter
+            group_filter
+          else
+            filter
+          end
+        end
       end
     end
   end
diff --git a/lib/gitlab/ldap/config.rb b/lib/gitlab/ldap/config.rb
index b2ad21ac566ff26e731b3a57b67400f85072c5ef..eb627d13604b25912d2aa74ff30c602dc31e93ba 100644
--- a/lib/gitlab/ldap/config.rb
+++ b/lib/gitlab/ldap/config.rb
@@ -125,6 +125,14 @@ def admin_group
         options['admin_group']
       end
 
+      def group_filter
+        options['group_filter']
+      end
+
+      def constructed_group_filter
+        @constructed_group_filter ||= Net::LDAP::Filter.construct(group_filter)
+      end
+
       def active_directory
         options['active_directory']
       end