diff --git a/README.md b/README.md
index 07c52ad..db41c1b 100644
--- a/README.md
+++ b/README.md
@@ -14,6 +14,10 @@ Usage
 -----
 When yourls-cas-plugin is enabled and user was not successfuly authenticated using data specified in yourls_user_passwords, an LDAP authentication attempt will be made. If LDAP authentication is successful, then you will immediately go to the admin interface.
 
+You can also set a privileged account to search the LDAP directory with. This is useful for directories that don't allow anonymous binding.
+
+Setting the groups settings will check the user is a member of that group before logging them in and storing their credentials. This check is only performed the first time they auth or when their password changes.
+
 Configuration
 -------------
 
@@ -22,6 +26,14 @@ Configuration
   * define( 'LDAPAUTH_BASE', 'dc=domain,dc=com' ) Base DN (location of users)
   * define( 'LDAPAUTH_USERNAME_FIELD', 'uid') (optional) LDAP field name in which username is store
 
+To use a privileged account for the user search:
+  * define( 'LDAPAUTH_SEARCH_USER', 'cn=your-user,dc=domain,dc=com' ) // (optional) Privileged user to search with
+  * define( 'LDAPAUTH_SEARCH_PASS', 'the-pass') // (optional) (only if LDAPAUTH_SEARCH_USER set) Privileged user pass
+
+To check group membership before authenticating:
+  * define( 'LDAPAUTH_GROUP_ATTR', 'memberof' ) // (optional) LDAP groups attr
+  * define( 'LDAPAUTH_GROUP_REQ', 'the-group') // (only if LDAPAUTH_GROUP_REQ set) Group user must be in
+ 
 Troubleshooting
 ---------------
   * Check PHP error log usually at `/var/log/php.log`
diff --git a/plugin.php b/plugin.php
index 444cd52..afb06f8 100644
--- a/plugin.php
+++ b/plugin.php
@@ -80,7 +80,20 @@ function ldapauth_is_valid_user( $value ) {
 		$ldapConnection = ldap_connect(LDAPAUTH_HOST, LDAPAUTH_PORT);
 		if (!$ldapConnection) Die("Cannot connect to LDAP " . LDAPAUTH_HOST);
 		ldap_set_option($ldapConnection, LDAP_OPT_PROTOCOL_VERSION, 3);
-		$searchDn = ldap_search($ldapConnection, LDAPAUTH_BASE, LDAPAUTH_USERNAME_FIELD . "=" . $_REQUEST['username'] );
+		
+		// Check if using a privileged user account to search
+		if (defined('LDAPAUTH_SEARCH_USER') && defined('LDAPAUTH_SEARCH_PASS')) {
+			if (!@ldap_bind($ldapConnection, LDAPAUTH_SEARCH_USER, LDAPAUTH_SEARCH_PASS)) {
+				die('Couldn\'t bind search user ' . LDAPAUTH_SEARCH_USER);
+			}
+		}
+		
+		// Limit the attrs to the ones we need
+		$attrs = array('dn', LDAPAUTH_USERNAME_FIELD);
+		if (defined('LDAPAUTH_GROUP_ATTR'))
+			array_push($attrs, LDAPAUTH_GROUP_ATTR);
+			
+		$searchDn = ldap_search($ldapConnection, LDAPAUTH_BASE, LDAPAUTH_USERNAME_FIELD . "=" . $_REQUEST['username'], $attrs );
 		if (!$searchDn) return $value;
 		$searchResult = ldap_get_entries($ldapConnection, $searchDn);
 		if (!$searchResult) return $value;
@@ -92,6 +105,18 @@ function ldapauth_is_valid_user( $value ) {
 		// success?
 		if ($ldapSuccess)
 		{
+			// are we checking group auth?
+			if (defined('LDAPAUTH_GROUP_ATTR') && defined('LDAPAUTH_GROUP_REQ')) {
+				if (!array_key_exists(LDAPAUTH_GROUP_ATTR, $searchResult[0])) die('Not in any LDAP groups');
+				
+				$in_group = false;
+				foreach($searchResult[0][LDAPAUTH_GROUP_ATTR] as $grps) {
+					if (strtolower($grps) == strtolower(LDAPAUTH_GROUP_REQ)) { $in_group = true; error_log("YESSS"); break;  }
+				}
+				
+				if (!$in_group) die('Not in admin group');
+			}
+			
 			$username = $searchResult[0][LDAPAUTH_USERNAME_FIELD][0];
 			yourls_set_user($username);
 			global $yourls_user_passwords;