diff --git a/aleksis/core/settings.py b/aleksis/core/settings.py
index 7855c449af754b6a564c48cee7b6a97b452302a2..522695ea6ce9aa1dacc6904a701cc7b8d4230370 100644
--- a/aleksis/core/settings.py
+++ b/aleksis/core/settings.py
@@ -186,7 +186,7 @@ AUTHENTICATION_BACKENDS = []
 if _settings.get("ldap.uri", None):
     # LDAP dependencies are not necessarily installed, so import them here
     import ldap  # noqa
-    from django_auth_ldap.config import LDAPSearch, GroupOfNamesType  # noqa
+    from django_auth_ldap.config import LDAPSearch, NestedGroupOfNamesType, NestedGroupOfUniqueNamesType, PosixGroupType  # noqa
 
     # Enable Django's integration to LDAP
     AUTHENTICATION_BACKENDS.append("django_auth_ldap.backend.LDAPBackend")
@@ -212,6 +212,33 @@ if _settings.get("ldap.uri", None):
         "email": _settings.get("ldap.map.email", "mail"),
     }
 
+    # Discover flags by LDAP groups
+    if _settings.get("ldap.groups.base", None):
+        AUTH_LDAP_GROUP_SEARCH = LDAPSearch(
+            _settings.get("ldap.groups.base"),
+            ldap.SCOPE_SUBTREE,
+            _settings.get("ldap.groups.filter", "(objectClass=%s)" % _settings.get("ldap.groups.type", "groupOfNames")),
+        )
+
+        _group_type = _settings.get("ldap.groups.type", "groupOfNames").lower()
+        if _group_type == "groupofnames":
+            AUTH_LDAP_GROUP_TYPE = NestedGroupOfNamesType()
+        elif _group_type == "groupofuniquenames":
+            AUTH_LDAP_GROUP_TYPE = NestedGroupOfUniqueNamesType()
+        elif _group_type == "posixgroup":
+            AUTH_LDAP_GROUP_TYPE = PosixGroupType()
+
+        AUTH_LDAP_USER_FLAGS_BY_GROUP = {
+        }
+        for _flag in ["is_active", "is_staff", "is_superuser"]:
+            _dn = _settings.get("ldap.groups.flags.%s" % _flag, None)
+            if _dn:
+                AUTH_LDAP_USER_FLAGS_BY_GROUP[_flag] = _dn
+
+        # Backend admin requires superusers to also be staff members
+        if "is_superuser" in AUTH_LDAP_USER_FLAGS_BY_GROUP and "is_staff" not in AUTH_LDAP_USER_FLAGS_BY_GROUP:
+            AUTH_LDAP_USER_FLAGS_BY_GROUP["is_staff"] = AUTH_LDAP_USER_FLAGS_BY_GROUP["is_superuser"]
+
 # Add ModelBckend last so all other backends get a chance
 # to verify passwords first
 AUTHENTICATION_BACKENDS.append("django.contrib.auth.backends.ModelBackend")