diff --git a/doc/tac_plus-ng.html b/doc/tac_plus-ng.html
index 1be0ff0..00788c0 100644
--- a/doc/tac_plus-ng.html
+++ b/doc/tac_plus-ng.html
@@ -3514,6 +3514,13 @@ <h3 class="section"><a name="AEN3243" id="AEN3243">5.1. LDAP Backends</a></h3>
 </td>
 </tr>
 <tr>
+<td><tt class="literal">LDAP_FILTER_POSIXGROUP</tt></td>
+<td>
+<p>LDAP search filter for posix groups. Default:</p>
+<p><tt class="literal">"(&amp;(objectclass=posixGroup)(memberUid=%s))"</tt></p>
+</td>
+</tr>
+<tr>
 <td><tt class="literal">LDAP_USER</tt></td>
 <td>
 <p>User to use for LDAP bind if server doesn't permit anonymous searches.</p>
@@ -3587,6 +3594,13 @@ <h3 class="section"><a name="AEN3243" id="AEN3243">5.1. LDAP Backends</a></h3>
 <p>Example: <tt class="literal">1</tt></p>
 </td>
 </tr>
+<tr>
+<td><tt class="literal">LDAP_POSIXGROUP</tt></td>
+<td>
+<p>Also lookup for posix group memberships if enabled.</p>
+<p>Example: <tt class="literal">1</tt></p>
+</td>
+</tr>
 </tbody>
 </table>
 </div>
diff --git a/doc/tac_plus-ng.txt b/doc/tac_plus-ng.txt
index 8092721..a2e8bcf 100644
--- a/doc/tac_plus-ng.txt
+++ b/doc/tac_plus-ng.txt
@@ -2893,6 +2893,11 @@ int async 1
    LDAP search filter for groups. Default:
 
    "(&(objectclass=groupOfNames)(member=%s))"
+   LDAP_FILTER_POSIXGROUP
+
+   LDAP search filter for posix groups. Default:
+
+   "(&(objectclass=posixGroup)(memberUid=%s))"
    LDAP_USER
 
    User to use for LDAP bind if server doesn't permit anonymous
@@ -2949,6 +2954,11 @@ int async 1
    Limit nested group lookups to the given value. Unlimited if
    unset.
 
+   Example: 1
+   LDAP_POSIXGROUP
+
+   Also lookup for posix group memberships if enabled.
+
    Example: 1
      __________________________________________________________
 
diff --git a/mavis/perl/mavis_tacplus-ng_ldap.pl b/mavis/perl/mavis_tacplus-ng_ldap.pl
index 435f917..8e4a207 100755
--- a/mavis/perl/mavis_tacplus-ng_ldap.pl
+++ b/mavis/perl/mavis_tacplus-ng_ldap.pl
@@ -123,6 +123,7 @@
 my @LDAP_BIND;
 my $LDAP_FILTER;
 my $LDAP_FILTER_GROUP = "(&(objectclass=groupOfNames)(member=%s))";
+my $LDAP_FILTER_POSIXGROUP = "(&(objectclass=posixGroup)(memberUid=%s))";
 my $LDAP_HOSTS		= ['ldaps://localhost'];
 my $LDAP_BASE		= 'dc=example,dc=com';
 my $LDAP_BASE_GROUP	= undef;
@@ -134,6 +135,7 @@
 my $LDAP_TACMEMBER	= "tacMember";
 my $LDAP_TACMEMBER_MAP_OU	= undef;
 my $LDAP_NESTED_GROUP_DEPTH	= undef;
+my $LDAP_POSIXGROUP	= undef;
 my $use_starttls;
 my %tls_options;
 
@@ -146,6 +148,7 @@
 $LDAP_BASE_GROUP	= $LDAP_BASE;
 $LDAP_SCOPE_GROUP	= $ENV{'LDAP_SCOPE_GROUP'} if exists $ENV{'LDAP_SCOPE_GROUP'};
 $LDAP_FILTER_GROUP	= $ENV{'LDAP_FILTER_GROUP'} if exists $ENV{'LDAP_FILTER_GROUP'};
+$LDAP_FILTER_POSIXGROUP	= $ENV{'LDAP_FILTER_POSIXGROUP'} if exists $ENV{'LDAP_FILTER_POSIXGROUP'};
 $LDAP_BASE_GROUP	= $ENV{'LDAP_BASE_GROUP'} if exists $ENV{'LDAP_BASE_GROUP'};
 $LDAP_FILTER		= $ENV{'LDAP_FILTER'} if exists $ENV{'LDAP_FILTER'};
 $LDAP_CONNECT_TIMEOUT	= $ENV{'LDAP_CONNECT_TIMEOUT'} if exists $ENV{'LDAP_CONNECT_TIMEOUT'};
@@ -156,6 +159,7 @@
 $LDAP_TACMEMBER		= $ENV{'LDAP_TACMEMBER'} if exists $ENV{'LDAP_TACMEMBER'};
 $LDAP_TACMEMBER_MAP_OU	= $ENV{'LDAP_TACMEMBER_MAP_OU'} if exists $ENV{'LDAP_TACMEMBER_MAP_OU'};
 $LDAP_NESTED_GROUP_DEPTH	= $ENV{'LDAP_NESTED_GROUP_DEPTH'} if exists $ENV{'LDAP_NESTED_GROUP_DEPTH'};
+$LDAP_POSIXGROUP	= $ENV{'LDAP_POSIXGROUP'} if exists $ENV{'LDAP_POSIXGROUP'};
 
 use Net::LDAP qw(LDAP_INVALID_CREDENTIALS LDAP_CONSTRAINT_VIOLATION);
 use Net::LDAP::Constant qw(LDAP_EXTENSION_PASSWORD_MODIFY LDAP_CAP_ACTIVE_DIRECTORY);
@@ -243,6 +247,21 @@ ($)
 	return \@res;
 }
 
+sub expand_posixGroup() {
+	my %H;
+	my $mesg = $ldap->search(base => $LDAP_BASE_GROUP, scope=>$LDAP_SCOPE_GROUP, filter=>sprintf($LDAP_FILTER_POSIXGROUP, $V[AV_A_USER]), attrs=>['cn']);
+	if ($mesg->code){
+		$V[AV_A_USER_RESPONSE] = $mesg->error . " (" . __LINE__ . ")";
+		goto fatal;
+	}
+	my $cn;
+	foreach my $entry ($mesg->entries) {
+		$H{$cn} = 1 if $cn = $entry->get_value('cn');
+	}
+	my @res = sort keys %H;
+	return \@res;
+}
+
 while ($in = <>) {
 	my ($a, $result);
 
@@ -356,14 +375,21 @@ ($)
 			$ldap->root_dse->supported_extension(LDAP_EXTENSION_PASSWORD_MODIFY);
 	}
 	$mesg = $ldap->search(base => $LDAP_BASE, filter => sprintf($LDAP_FILTER, $V[AV_A_USER]), scope => $LDAP_SCOPE,
-		attrs => ['shadowExpire','memberOf','dn', 'uidNumber', 'gidNumber', 'loginShell', 'homeDirectory', 'sshPublicKey',
+		attrs => ['shadowExpire', 'memberOf', 'dn', 'uidNumber', 'gidNumber', 'loginShell', 'homeDirectory', 'sshPublicKey',
 			  'krbPasswordExpiration', $LDAP_TACMEMBER]);
 	if ($mesg->count() == 1) {
 		my $entry = $mesg->entry(0);
 
-		my $val = $entry->get_value('memberOf', asref => 1);
-		$authdn = $entry->dn;
 		my (@M, @MO);
+		my $val;
+
+		if (defined $LDAP_POSIXGROUP and $LDAP_POSIXGROUP)  {
+			$val = expand_posixGroup();
+			@M = @$val;
+		}
+
+		$val = $entry->get_value('memberOf', asref => 1);
+		$authdn = $entry->dn;
 		if ($#{$val} > -1) {
 			$val = expand_memberof($val);
 		} else {
@@ -375,6 +401,7 @@ ($)
 				push @MO, $m;
 			}
 		}
+
 		$V[AV_A_TACMEMBER] = '"' . join('","', @M) . '"' if $#M > -1;
 		$V[AV_A_MEMBEROF] = '"' . join('","', @MO) . '"' if $#MO > -1;
 		$V[AV_A_DN] = $authdn;