diff --git a/config-dist.php b/config-dist.php
index a39cc028..e2d1ebc1 100644
--- a/config-dist.php
+++ b/config-dist.php
@@ -78,9 +78,12 @@ Setting('AUTH_CLASS', 'Grocy\Middleware\DefaultAuthMiddleware');
 Setting('REVERSE_PROXY_AUTH_HEADER', 'REMOTE_USER');
 
 // When using LdapAuthMiddleware
-Setting('LDAP_DOMAIN', ''); // Example value "local"
 Setting('LDAP_ADDRESS', ''); // Example value "ldap://vm-dc2019.local.berrnd.net"
-Setting('LDAP_BASE_DN', ''); // Example value "OU=OU_Users,DC=local,DC=berrnd,DC=net"
+Setting('LDAP_BASE_DN', ''); // Example value "DC=local,DC=berrnd,DC=net"
+Setting('LDAP_BIND_DN', ''); // Example value "CN=grocy_bind_account,OU=service_accounts,DC=local,DC=berrnd,DC=net"
+Setting('LDAP_BIND_PW', ''); // Password for the above account
+Setting('LDAP_USER_FILTER', ''); // Example value "(OU=grocy_users)"
+Setting('LDAP_UID_ATTR', ''); // Windows AD: "sAMAccountName", OpenLDAP: "uid", Glauth: "cn"
 
 // Set this to true if you want to disable the ability to scan a barcode via the device camera (Browser API)
 Setting('DISABLE_BROWSER_BARCODE_CAMERA_SCANNING', false);
diff --git a/middleware/LdapAuthMiddleware.php b/middleware/LdapAuthMiddleware.php
index 019d5040..67e6551c 100644
--- a/middleware/LdapAuthMiddleware.php
+++ b/middleware/LdapAuthMiddleware.php
@@ -34,16 +34,33 @@ class LdapAuthMiddleware extends AuthMiddleware
 			ldap_set_option($connect, LDAP_OPT_PROTOCOL_VERSION, 3);
 			ldap_set_option($connect, LDAP_OPT_REFERRALS, 0);
 
-			if ($bind = ldap_bind($connect, GROCY_LDAP_DOMAIN . '\\' . $postParams['username'], $postParams['password']))
+			// bind with service account to retrieve user DN
+			if ($bind = ldap_bind($connect, GROCY_LDAP_BIND_DN, GROCY_LDAP_BIND_PW))
 			{
-				$fields = '(|(samaccountname=*' . $postParams['username'] . '*))';
+				$filter = '(&(' . GROCY_LDAP_UID_ATTR . '=' . $postParams['username'] . ')' . GROCY_LDAP_USER_FILTER . ')';
 
-				$search = ldap_search($connect, GROCY_LDAP_BASE_DN, $fields);
+				$search = ldap_search($connect, GROCY_LDAP_BASE_DN, $filter);
 				$result = ldap_get_entries($connect, $search);
 
 				$ldapFirstName = $result[0]['givenname'][0];
 				$ldapLastName = $result[0]['sn'][0];
-
+				$ldapDistinguishedName = $result[0]['dn'];
+				
+				if (is_null($ldapDistinguishedName))
+				{
+					// User not found
+					return false;
+				}
+			}
+			else
+			{
+				// Bind authentication failed
+				return false;
+			}
+			
+			// bind with user account to validate password
+			if ($bind = ldap_bind($connect, $ldapDistinguishedName, $postParams['password']))
+			{
 				ldap_close($connect);
 
 				$db = DatabaseService::getInstance()->GetDbConnection();
@@ -60,7 +77,9 @@ class LdapAuthMiddleware extends AuthMiddleware
 			}
 			else
 			{
-				// LDAP authentication failed
+				ldap_close($connect);
+				
+				// User authentication failed
 				return false;
 			}
 		}
@@ -70,4 +89,4 @@ class LdapAuthMiddleware extends AuthMiddleware
 			return false;
 		}
 	}
-}
+}
\ No newline at end of file