diff --git a/src/main/java/org/olat/core/commons/modules/glossary/GlossaryMainController.java b/src/main/java/org/olat/core/commons/modules/glossary/GlossaryMainController.java
index c6ef29a570942f27ba1372c58a55038594f7987a..3cc67e764f81a0577534c3462be4be1dd3dfbd7f 100644
--- a/src/main/java/org/olat/core/commons/modules/glossary/GlossaryMainController.java
+++ b/src/main/java/org/olat/core/commons/modules/glossary/GlossaryMainController.java
@@ -28,7 +28,6 @@ import java.util.List;
 import java.util.Properties;
 import java.util.Set;
 
-import org.apache.commons.lang.StringEscapeUtils;
 import org.olat.core.CoreSpringFactory;
 import org.olat.core.gui.UserRequest;
 import org.olat.core.gui.components.Component;
@@ -208,7 +207,7 @@ public class GlossaryMainController extends BasicController implements Activatea
 					if (deleteDialogCtr != null) {
 						deleteDialogCtr.dispose();
 					}
-					deleteDialogCtr = activateYesNoDialog(ureq, null, translate("glossary.delete.dialog", StringEscapeUtils.escapeHtml(currentGlossaryItem.getGlossTerm())),
+					deleteDialogCtr = activateYesNoDialog(ureq, null, translate("glossary.delete.dialog", StringHelper.escapeHtml(currentGlossaryItem.getGlossTerm())),
 							deleteDialogCtr);
 				} 
 			} else if (button.getCommand().startsWith(REGISTER_LINK)) {
diff --git a/src/main/java/org/olat/ldap/LDAPLoginManagerImpl.java b/src/main/java/org/olat/ldap/LDAPLoginManagerImpl.java
index 0fd6bd939e107a3f9a2d360c58d8e2fd72d5c870..8736146c2bb12750b1ede44dd571f76d4be58f04 100644
--- a/src/main/java/org/olat/ldap/LDAPLoginManagerImpl.java
+++ b/src/main/java/org/olat/ldap/LDAPLoginManagerImpl.java
@@ -336,11 +336,9 @@ public class LDAPLoginManagerImpl extends LDAPLoginManager implements GenericEve
 			return null;
 
 		List<String> ldapBases = LDAPLoginModule.getLdapBases();
-		String objctClass = LDAPLoginModule.getLdapUserObjectClass();
 		String[] serachAttr = { "dn" };
 		
-		String ldapUserIDAttribute = LDAPLoginModule.mapOlatPropertyToLdapAttribute(LDAPConstants.LDAP_USER_IDENTIFYER);
-		String filter = "(&(objectClass=" + objctClass + ")(" + ldapUserIDAttribute + "=" + uid + "))";
+		String filter = buildSearchUserFilter(uid);
 		SearchControls ctls = new SearchControls();
 		ctls.setSearchScope(SearchControls.SUBTREE_SCOPE);
 		ctls.setReturningAttributes(serachAttr);
@@ -364,6 +362,26 @@ public class LDAPLoginManagerImpl extends LDAPLoginManager implements GenericEve
 		return userDN;
 	}
 
+	/**
+	 * Build an LDAP search filter for the given user ID using the preconfigured filters
+	 * @param uid the user ID
+	 * @return the filter String
+	 */
+	private String buildSearchUserFilter(String uid) {
+		String ldapUserIDAttribute = LDAPLoginModule.mapOlatPropertyToLdapAttribute(LDAPConstants.LDAP_USER_IDENTIFYER);
+		String ldapUserFilter = LDAPLoginModule.getLdapUserFilter();
+		StringBuilder filter = new StringBuilder();
+		if (ldapUserFilter != null) {
+			// merge preconfigured filter (e.g. object class, group filters) with username using AND rule
+			filter.append("(&").append(ldapUserFilter);	
+		}
+		filter.append("(").append(ldapUserIDAttribute).append("=").append(uid).append(")");
+		if (ldapUserFilter != null) {
+			filter.append(")");	
+		}
+		return filter.toString();
+	}
+
 	/**
 	 * 
 	 * Creates list of all LDAP Users or changed Users since syncTime
@@ -384,22 +402,31 @@ public class LDAPLoginManagerImpl extends LDAPLoginManager implements GenericEve
 	 * @throws NamingException
 	 */
 	public List<Attributes> getUserAttributesModifiedSince(Date syncTime, LdapContext ctx) {
-		String objctClass = LDAPLoginModule.getLdapUserObjectClass();
+		String userFilter = LDAPLoginModule.getLdapUserFilter();
 		StringBuilder filter = new StringBuilder();
 		if (syncTime == null) {
 			logDebug("LDAP get user attribs since never -> full sync!");
-			filter.append("(objectClass=").append(objctClass).append(")");
+			if (filter != null) {
+				filter.append(userFilter);				
+			}
 		} else {
 			String dateFormat = LDAPLoginModule.getLdapDateFormat();
 			SimpleDateFormat generalizedTimeFormatter = new SimpleDateFormat(dateFormat);
 			generalizedTimeFormatter.setTimeZone(UTC_TIME_ZONE);
 			String syncTimeForm = generalizedTimeFormatter.format(syncTime);
 			logDebug("LDAP get user attribs since " + syncTime + " -> means search with date restriction-filter: " + syncTimeForm);
-			filter.append("(&(objectClass=").append(objctClass).append(")(|(");
+			if (userFilter != null) {
+				// merge user filter with time fileter using and rule
+				filter.append("(&").append(userFilter);				
+			}
+			filter.append("(|(");								
 			filter.append(LDAPLoginModule.getLdapUserLastModifiedTimestampAttribute()).append(">=").append(syncTimeForm);
 			filter.append(")(");
 			filter.append(LDAPLoginModule.getLdapUserCreatedTimestampAttribute()).append(">=").append(syncTimeForm);
-			filter.append(")))");
+			filter.append("))");
+			if (userFilter != null) {
+				filter.append(")");				
+			}
 		}
 		final List<Attributes> ldapUserList = new ArrayList<Attributes>();
 
@@ -705,7 +732,7 @@ public class LDAPLoginManagerImpl extends LDAPLoginManager implements GenericEve
 		if (ctx == null) return null;
 		// Find all LDAP Users
 		String userID = LDAPLoginModule.mapOlatPropertyToLdapAttribute(LDAPConstants.LDAP_USER_IDENTIFYER);
-		String objctClass = LDAPLoginModule.getLdapUserObjectClass();
+		String userFilter = LDAPLoginModule.getLdapUserFilter();
 		final List<String> ldapList = new ArrayList<String>();
 		
 		searchInLdap(new LdapVisitor() {
@@ -718,7 +745,7 @@ public class LDAPLoginManagerImpl extends LDAPLoginManager implements GenericEve
 					ldapList.add(attr.get().toString().toLowerCase());
 				}
 			}
-		}, "(objectClass=" + objctClass + ")", new String[] { userID }, ctx);
+		}, (userFilter == null ? "" : userFilter), new String[] { userID }, ctx);
 
 		if (ldapList.isEmpty()) {
 			logWarn("No users in LDAP found, can't create deletionList!!", null);
diff --git a/src/main/java/org/olat/ldap/LDAPLoginModule.java b/src/main/java/org/olat/ldap/LDAPLoginModule.java
index c132239472740b504f17cde169c122dc9399f581..7a115c01781d5a130acadfa821dff60709d18ef6 100644
--- a/src/main/java/org/olat/ldap/LDAPLoginModule.java
+++ b/src/main/java/org/olat/ldap/LDAPLoginModule.java
@@ -101,7 +101,7 @@ public class LDAPLoginModule implements Initializable {
 	// Propagate the password changes onto the LDAP server
 	private static boolean propagatePasswordChangedOnLdapServer;
 	// Configuration for syncing user attributes
-	private static String ldapUserObjectClass;
+	private static String ldapUserFilter;
 	private static String ldapUserCreatedTimestampAttribute;
 	private static String ldapUserLastModifiedTimestampAttribute;
 	private static String ldapUserPasswordAttribute;
@@ -162,7 +162,13 @@ public class LDAPLoginModule implements Initializable {
 			setEnableLDAPLogins(false);
 			return;
 		}
-		if (!checkConfigParameterIsNotEmpty(ldapUserObjectClass)) return;
+		if (ldapUserFilter != null) {
+			if (!ldapUserFilter.startsWith("(") || !ldapUserFilter.endsWith(")")) {
+				log.error("Wrong configuration 'ldapUserFilter'. Set filter to emtpy value or enclose filter in brackets like '(objectClass=person)'. Disabling LDAP");
+				setEnableLDAPLogins(false);
+				return;
+			}
+		}
 		if (!checkConfigParameterIsNotEmpty(ldapUserCreatedTimestampAttribute)) return;
 		if (!checkConfigParameterIsNotEmpty(ldapUserLastModifiedTimestampAttribute)) return;
 		if (userAttrMap == null || userAttrMap.size() == 0) {
@@ -477,8 +483,13 @@ public class LDAPLoginModule implements Initializable {
 		ldapSyncOnStartup = ldapStartSyncs;
 	}
 
-	public void setLdapUserObjectClass(String objectClass) {
-		ldapUserObjectClass = objectClass.trim();
+	public void setLdapUserFilter(String filter) {
+		if (StringHelper.containsNonWhitespace(filter)) {
+			ldapUserFilter = filter.trim();			
+		} else {
+			// set explicitly to null for no filter
+			ldapUserFilter = null;
+		}
 	}
 
 	public void setLdapSystemDN(String ldapSystemDN) {
@@ -629,8 +640,11 @@ public class LDAPLoginModule implements Initializable {
 		return connectionTimeout;
 	}
 
-	public static String getLdapUserObjectClass() {
-		return ldapUserObjectClass;
+	/**
+	 * @return A filter expression enclosed in () brackets to filter for valid users or NULL for no filtering
+	 */
+	public static String getLdapUserFilter() {
+		return ldapUserFilter;
 	}
 
 	public static String getLdapUserLastModifiedTimestampAttribute() {
diff --git a/src/main/java/org/olat/ldap/_spring/ldapContext.xml b/src/main/java/org/olat/ldap/_spring/ldapContext.xml
index d0d45e2c9091146adcd10a0d265a9fc2bdc76a5d..eec448cd314fff36186aa2e31e3ff9ac912087d1 100644
--- a/src/main/java/org/olat/ldap/_spring/ldapContext.xml
+++ b/src/main/java/org/olat/ldap/_spring/ldapContext.xml
@@ -81,7 +81,7 @@
 		<!-- if ldapSyncCronSync=true, specify cron expression: http://quartz.sourceforge.net/javadoc/org/quartz/CronTrigger.html  -->
 		<property name="ldapSyncCronSyncExpression" value="${ldap.ldapSyncCronSyncExpression}" /> <!--  run every hour -->		
 		<!-- Configuration for syncing user attributes during login or cron and batch sync -->		
-		<property name="ldapUserObjectClass" value="${ldap.ldapUserObjectClass}"/>
+		<property name="ldapUserFilter" value="${ldap.ldapUserFilter}"/>
 		<property name="ldapUserCreatedTimestampAttribute" value="${ldap.ldapUserCreatedTimestampAttribute}"/>
 		<property name="ldapUserLastModifiedTimestampAttribute" value="${ldap.ldapUserLastModifiedTimestampAttribute}"/>
 		<property name="ldapUserPasswordAttribute" value="${ldap.ldapUserPassordAttribute}"/>
diff --git a/src/main/resources/serviceconfig/olat.properties b/src/main/resources/serviceconfig/olat.properties
index ea51b80b54bb2a8b2e31328ab4208e81a3f447ec..e92d85d092b69031001025f71abee1eeb865a12a 100644
--- a/src/main/resources/serviceconfig/olat.properties
+++ b/src/main/resources/serviceconfig/olat.properties
@@ -795,6 +795,10 @@ ldap.ldapSyncCronSyncExpression=0 0 * * * ?
 # Configuration for syncing user attributes during login or cron and batch sync (examples are
 # for an active directory)
 ldap.ldapUserObjectClass=person
+# Filter that uses the user object class. Can be exteded to include group memberships as well. Default is a standard object class filter.
+ldap.ldapUserFilter=(objectClass=${ldap.ldapUserObjectClass})
+# Example for more complex filter: 
+# ldap.ldapUserFilter=(&(objectClass=${ldap.ldapUserObjectClass})(memberOf=CN=OpenOLATAccess,OU=Students,DC=openolat,DC=org))
 ldap.ldapUserCreatedTimestampAttribute=whenCreated
 ldap.ldapUserLastModifiedTimestampAttribute=whenChanged
 # OpenLDAP is userPassword, ActiveDirectory is unicodePwd