diff --git a/env.example b/env.example
index 485649c572..a001bcee9a 100644
--- a/env.example
+++ b/env.example
@@ -132,26 +132,64 @@ TZ=UTC
 #
 
 # LDAP url for connection
-#LDAP_URL=ldaps://ldap.domain.com/
+# ldaps:// not compatible with LDAP_START_TLS
+#LDAP_URL=ldap://ldap.domain.com
 
 # LDAP base DN. Can be empty
 #LDAP_BASE=DC=example,DC=domain,DC=com
+# FreeIPA should be based at accounts
+#LDAP_BASE=CN=accounts,DC=example,DC=domain,DC=com
 
 # LDAP user DN. Do not specify this parameter for the anonymous bind
 #LDAP_BINDDN=CN=binduser,OU=users,DC=example,DC=domain,DC=com
+# FreeIPA uses different scheme
+#LDAP_BINDDN=UID=binduser,CN=users,CN=accounts,DC=example,DC=domain,DC=com
 
 # LDAP user password. Do not specify this parameter for the anonymous bind
 #LDAP_BINDPW=LdapUserPassw0rd
 
+# Many LDAP providers may obfuscate tree information
+# required for advanced filtering when using anonymous
+# bind
+
 # LDAP filter. Tokens example:
 # %1-9 - if the input key is user@mail.domain.com, then %1 is com, %2 is domain and %3 is mail
 # %s - %s is replaced by the complete service string
 # %r - %r is replaced by the complete realm string
+# (&(filter1)(filter2)(...)) - require multiple filters to be true
+# (|(filter1)(filter2)(...)) - require one filter to be true
+# (!(filter1)) - require one or more filters to be false
 #LDAP_FILTER=(sAMAccountName=%u)
 
+# FreeIPA, other LDAP providers, use UID
+#LDAP_FILTER=(UID=%u)
+# FreeIPA group filtering
+#LDAP_FILTER=(&(UID=%u)(memberOf=CN=groupname,CN=groups,CN=accounts,DC=example,DC=domain,DC=com))
+
 # LDAP authentication method
 #LDAP_AUTH_METHOD=bind
 
+# LDAP group member attribute
+#LDAP_GROUP_ATTR=uniqueMember
+# FreeIPA, other LDAP providers, use memberOf
+#LDAP_GROUP_ATTR=memberOf
+
+# LDAP group membership requirement
+#LDAP_GROUP_DN=CN=groupname,CN=groups,CN=accounts,DC=example,DC=domain,DC=com
+
+# LDAP group match method
+# filter implies LDAP_GROUP_FILTER. attr implies LDAP_GROUP_SEARCH_BASE
+# ignored without LDAP_GROUP_DN
+#LDAP_GROUP_MATCH_METHOD=filter
+
+# LDAP group filter
+# Respects tokens common to LDAP filtering
+#LDAP_GROUP_FILTER=(CN=groupname,CN=groups,CN=accounts,DC=example,DC=domain,DC=com)
+
+# LDAP group search base
+# Defaults to LDAP_BASE
+#LDAP_GROUP_SEARCH_BASE=CN=groupname,CN=groups,CN=accounts,DC=example,DC=domain,DC=com
+
 # LDAP version
 #LDAP_VERSION=3
 
diff --git a/prosody/rootfs/defaults/saslauthd.conf b/prosody/rootfs/defaults/saslauthd.conf
index 79cdc0ad61..d53ea5eb40 100644
--- a/prosody/rootfs/defaults/saslauthd.conf
+++ b/prosody/rootfs/defaults/saslauthd.conf
@@ -4,27 +4,47 @@
 
 {{ if eq $PROSODY_AUTH_TYPE "ldap" }}
 ldap_servers: {{ .Env.LDAP_URL }}
+
 ldap_search_base: {{ .Env.LDAP_BASE }}
-{{ if .Env.LDAP_BINDDN | default "" }}
-ldap_bind_dn: {{ .Env.LDAP_BINDDN }}
-ldap_bind_pw: {{ .Env.LDAP_BINDPW }}
-{{ end }}
-ldap_filter: {{ .Env.LDAP_FILTER | default "uid=%u" }}
+
 ldap_version: {{ .Env.LDAP_VERSION | default "3" }}
 ldap_auth_method: {{ .Env.LDAP_AUTH_METHOD | default "bind" }}
+
+  {{ if .Env.LDAP_BINDDN }}
+ldap_bind_dn: {{ .Env.LDAP_BINDDN }}
+ldap_bind_pw: {{ .Env.LDAP_BINDPW | default "MISSING PASSWORD" }}
+  {{ end }}
+
+ldap_filter: {{ .Env.LDAP_FILTER | default "uid=%u" }}
+
+ldap_group_attr: {{ .Env.LDAP_GROUP_ATTR | default "uniqueMember" }}
+  {{ if .Env.LDAP_GROUP_DN }}
+ldap_group_dn: {{ .Env.LDAP_GROUP_DN }}
+ldap_group_match_method: {{ .Env.LDAP_GROUP_MATCH_METHOD | default "attr" }}
+  {{ end }}
+  {{ if .Env.LDAP_GROUP_SEARCH_BASE }}
+ldap_group_search_base: {{ .Env.LDAP_GROUP_SEARCH_BASE | default .Env.LDAP_BASE }}
+  {{ end }}
+  {{ if .Env.LDAP_GROUP_FILTER }}
+ldap_group_filter: {{ .Env.LDAP_GROUP_FILTER }}
+  {{ end }}
+
   {{ if .Env.LDAP_USE_TLS | default "0" | toBool }}
 ldap_tls_key: /config/certs/{{ $XMPP_DOMAIN }}.key
 ldap_tls_cert: /config/certs/{{ $XMPP_DOMAIN }}.crt
+
     {{ if .Env.LDAP_TLS_CHECK_PEER | default "0" | toBool }}
 ldap_tls_check_peer: yes
 ldap_tls_cacert_file: {{ .Env.LDAP_TLS_CACERT_FILE | default "/etc/ssl/certs/ca-certificates.crt" }}
 ldap_tls_cacert_dir: {{ .Env.LDAP_TLS_CACERT_DIR | default "/etc/ssl/certs" }}
     {{ end }}
+
     {{ if .Env.LDAP_TLS_CIPHERS }}
 ldap_tls_ciphers: {{ .Env.LDAP_TLS_CIPHERS }}
     {{ end }}
   {{ end }}
-{{ end }}
-{{ if .Env.LDAP_START_TLS | default "0" | toBool }}
+
+  {{ if .Env.LDAP_START_TLS | default "0" | toBool }}
 ldap_start_tls: yes
+  {{ end }}
 {{ end }}