diff --git a/src/ldap.js b/src/ldap.js
index eb38447d3..a5b73cdff 100644
--- a/src/ldap.js
+++ b/src/ldap.js
@@ -105,40 +105,48 @@ function userSearch(req, res, next) {
 function groupSearch(req, res, next) {
     debug('group search: dn %s, scope %s, filter %s (from %s)', req.dn.toString(), req.scope, req.filter.toString(), req.connection.ldap.id);
 
-    user.list(function (error, result){
-        if (error) return next(new ldap.OperationsError(error.toString()));
+    getAppByRequest(req, function (error, app) {
+        if (error) return next(error);
 
-        var groups = [{
-            name: 'users',
-            admin: false
-        }, {
-            name: 'admins',
-            admin: true
-        }];
+        user.list(function (error, result){
+            if (error) return next(new ldap.OperationsError(error.toString()));
 
-        groups.forEach(function (group) {
-            var dn = ldap.parseDN('cn=' + group.name + ',ou=groups,dc=cloudron');
-            var members = group.admin ? result.filter(function (entry) { return entry.admin; }) : result;
+            async.filter(result, apps.hasAccessTo.bind(null, app), function (error, result) {
+                if (error) return next(new ldap.OperationsError(error.toString()));
 
-            var obj = {
-                dn: dn.toString(),
-                attributes: {
-                    objectclass: ['group'],
-                    cn: group.name,
-                    memberuid: members.map(function(entry) { return entry.id; })
-                }
-            };
+                var groups = [{
+                    name: 'users',
+                    admin: false
+                }, {
+                    name: 'admins',
+                    admin: true
+                }];
 
-            // ensure all filter values are also lowercase
-            var lowerCaseFilter = safe(function () { return ldap.parseFilter(req.filter.toString().toLowerCase()); }, null);
-            if (!lowerCaseFilter) return next(new ldap.OperationsError(safe.error.toString()));
+                groups.forEach(function (group) {
+                    var dn = ldap.parseDN('cn=' + group.name + ',ou=groups,dc=cloudron');
+                    var members = group.admin ? result.filter(function (entry) { return entry.admin; }) : result;
 
-            if ((req.dn.equals(dn) || req.dn.parentOf(dn)) && lowerCaseFilter.matches(obj.attributes)) {
-                res.send(obj);
-            }
+                    var obj = {
+                        dn: dn.toString(),
+                        attributes: {
+                            objectclass: ['group'],
+                            cn: group.name,
+                            memberuid: members.map(function(entry) { return entry.id; })
+                        }
+                    };
+
+                    // ensure all filter values are also lowercase
+                    var lowerCaseFilter = safe(function () { return ldap.parseFilter(req.filter.toString().toLowerCase()); }, null);
+                    if (!lowerCaseFilter) return next(new ldap.OperationsError(safe.error.toString()));
+
+                    if ((req.dn.equals(dn) || req.dn.parentOf(dn)) && lowerCaseFilter.matches(obj.attributes)) {
+                        res.send(obj);
+                    }
+                });
+
+                res.end();
+            });
         });
-
-        res.end();
     });
 }
 
diff --git a/src/test/ldap-test.js b/src/test/ldap-test.js
index b1a3228d1..269fe4d84 100644
--- a/src/test/ldap-test.js
+++ b/src/test/ldap-test.js
@@ -453,7 +453,7 @@ describe('Ldap', function () {
             });
         });
 
-        it ('does not list users who have access', function (done) {
+        it ('does only list users who have access', function (done) {
             appdb.update(APP_0.id, { accessRestriction: { users: [], groups: [ GROUP_ID ] } }, function (error) {
                 expect(error).to.be(null);
 
@@ -577,6 +577,41 @@ describe('Ldap', function () {
                 });
             });
         });
+
+        it ('does only list users who have access', function (done) {
+            appdb.update(APP_0.id, { accessRestriction: { users: [], groups: [ GROUP_ID ] } }, function (error) {
+                expect(error).to.be(null);
+
+                var client = ldap.createClient({ url: 'ldap://127.0.0.1:' + config.get('ldapPort') });
+
+                var opts = {
+                    filter: '&(objectclass=group)(cn=*)'
+                };
+
+                client.search('ou=groups,dc=cloudron', opts, function (error, result) {
+                    expect(error).to.be(null);
+                    expect(result).to.be.an(EventEmitter);
+
+                    var entries = [];
+
+                    result.on('searchEntry', function (entry) { entries.push(entry.object); });
+                    result.on('error', done);
+                    result.on('end', function (result) {
+                        expect(result.status).to.equal(0);
+                        expect(entries.length).to.equal(2);
+                        expect(entries[0].cn).to.equal('users');
+                        expect(entries[0].memberuid.length).to.equal(2);
+                        expect(entries[0].memberuid[0]).to.equal(USER_0.id);
+                        expect(entries[0].memberuid[1]).to.equal(USER_1.id);
+                        expect(entries[1].cn).to.equal('admins');
+                        // if only one entry, the array becomes a string :-/
+                        expect(entries[1].memberuid).to.equal(USER_0.id);
+
+                        appdb.update(APP_0.id, { accessRestriction: null }, done);
+                    });
+                });
+            });
+        });
     });
 
     function ldapSearch(dn, filter, callback) {