diff --git a/app/controllers/auth/ldap/LDAPAuthConfig.scala b/app/controllers/auth/ldap/LDAPAuthConfig.scala
index 1ac809bb..d2c16e72 100644
--- a/app/controllers/auth/ldap/LDAPAuthConfig.scala
+++ b/app/controllers/auth/ldap/LDAPAuthConfig.scala
@@ -21,10 +21,11 @@ class LDAPAuthConfig(config: Configuration) extends AuthConfig {
       LDAPGroupSearchConfig(
         groupAuthConfig.getOptional[String]("base-dn").getOrElse(baseDN),
         getSetting("user-attr")(groupAuthConfig),
+        groupAuthConfig.getOptional[String]("user-attr-template").getOrElse(userTemplate),
         group
       )
     }
   }
 }
 
-case class LDAPGroupSearchConfig(baseDN: String, userAttr: String, group: String)
+case class LDAPGroupSearchConfig(baseDN: String, userAttr: String, userAttrTemplate:String, group: String)
diff --git a/app/controllers/auth/ldap/LDAPAuthService.scala b/app/controllers/auth/ldap/LDAPAuthService.scala
index ece5e2e1..98d9a934 100644
--- a/app/controllers/auth/ldap/LDAPAuthService.scala
+++ b/app/controllers/auth/ldap/LDAPAuthService.scala
@@ -40,7 +40,7 @@ class LDAPAuthService @Inject()(globalConfig: Configuration) extends AuthService
     props.put(Context.SECURITY_PRINCIPAL, config.bindDN)
     props.put(Context.SECURITY_CREDENTIALS, config.bindPwd)
     props.put(Context.REFERRAL, "follow")
-    val user     = config.userTemplate.format(username, config.baseDN)
+    val user     = groupConfig.userAttrTemplate.format(username, config.baseDN)
     val controls = new SearchControls()
     controls.setSearchScope(SearchControls.SUBTREE_SCOPE)
     try {
diff --git a/conf/application.conf b/conf/application.conf
index 61640a9a..ff82241b 100644
--- a/conf/application.conf
+++ b/conf/application.conf
@@ -46,6 +46,9 @@ auth = {
       base-dn = ${?LDAP_GROUP_BASE_DN}
       // Attribute that represent the user, for example uid or mail
       user-attr = ${?LDAP_USER_ATTR}
+      // Define a separate template for user-attr
+      // If left unset parent's user-template will be used
+      user-attr-template = ${?LDAP_USER_ATTR_TEMPLATE}
       // Filter that tests membership of the group. If this property is empty then there is no group membership check
       // AD example => memberOf=CN=mygroup,ou=ouofthegroup,DC=domain,DC=com
       // OpenLDAP example => CN=mygroup