diff --git a/core/src/main/java/hudson/security/LDAPSecurityRealm.java b/core/src/main/java/hudson/security/LDAPSecurityRealm.java
index 8fceded..9c047fe 100644
--- a/core/src/main/java/hudson/security/LDAPSecurityRealm.java
+++ b/core/src/main/java/hudson/security/LDAPSecurityRealm.java
@@ -42,6 +42,7 @@ import java.util.logging.Logger;
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
 
+
 /**
  * {@link SecurityRealm} implementation that uses LDAP for authentication.
  * 
@@ -78,6 +79,15 @@ public class LDAPSecurityRealm extends SecurityRealm {
      * @see FilterBasedLdapUserSearch
      */
     public final String userSearch;
+    
+    /**
+     * This defines the organizational unit that contains groups.
+     *
+     * Normally "ou=groups"
+     *
+     * @see FilterBasedLdapUserSearch
+     */
+    public final String groupSearchBase;
 
     /*
         Other configurations that are needed:
@@ -106,13 +116,14 @@ public class LDAPSecurityRealm extends SecurityRealm {
     private final String managerPassword;
 
     @DataBoundConstructor
-    public LDAPSecurityRealm(String server, String rootDN, String userSearchBase, String userSearch, String managerDN, String managerPassword) {
+    public LDAPSecurityRealm(String server, String rootDN, String userSearchBase, String userSearch, String groupSearchBase, String managerDN, String managerPassword) {
         this.server = server.trim();
         if(Util.fixEmptyAndTrim(rootDN)==null)    rootDN=Util.fixNull(inferRootDN(server));
         this.rootDN = rootDN.trim();
         this.userSearchBase = userSearchBase.trim();
         if(Util.fixEmptyAndTrim(userSearch)==null)    userSearch="uid={0}";
         this.userSearch = userSearch.trim();
+        this.groupSearchBase = Util.fixEmptyAndTrim(groupSearchBase);
         this.managerDN = Util.fixEmpty(managerDN);
         if(Util.fixEmpty(managerPassword)==null)
             this.managerPassword = null;
@@ -165,6 +176,7 @@ public class LDAPSecurityRealm extends SecurityRealm {
         BeanBuilder builder = new BeanBuilder();
         builder.parse(Hudson.getInstance().servletContext.getResourceAsStream("/WEB-INF/security/LDAPBindSecurityRealm.groovy"),binding);
         final WebApplicationContext appContext = builder.createApplicationContext();
+        correctAuthoritiesPopulator(appContext);
 
         return new SecurityComponents(
             findBean(AuthenticationManager.class, appContext),
@@ -181,6 +193,15 @@ public class LDAPSecurityRealm extends SecurityRealm {
             });
     }
 
+    /**
+     * Adjust the authoritiesPopulator bean to have the correct groupSearchBase
+     * @param appContext 
+     */
+    private void correctAuthoritiesPopulator(WebApplicationContext appContext) {
+        DeferredCreationLdapAuthoritiesPopulator factory = (DeferredCreationLdapAuthoritiesPopulator) appContext.getBean("authoritiesPopulator");
+        factory.setGroupSearchBase(groupSearchBase==null ? "ou=groups" : groupSearchBase);
+    }
+    
     /**
      * If the security realm is LDAP, try to pick up e-mail address from LDAP.
      */
diff --git a/core/src/main/resources/hudson/security/LDAPSecurityRealm/config.jelly b/core/src/main/resources/hudson/security/LDAPSecurityRealm/config.jelly
index 2757495..ee2b322 100644
--- a/core/src/main/resources/hudson/security/LDAPSecurityRealm/config.jelly
+++ b/core/src/main/resources/hudson/security/LDAPSecurityRealm/config.jelly
@@ -13,6 +13,9 @@
     <f:entry title="${%User search filter}" help="/help/security/ldap/userSearchFilter.html">
       <f:textbox name="ldap.userSearch" value="${instance.userSearch}" />
     </f:entry>
+    <f:entry title="${%Group search base}" help="/help/security/ldap/groupSearchBase.html">
+      <f:textbox name="ldap.groupSearchBase" value="${instance.groupSearchBase}" />
+    </f:entry>
     <f:entry title="${%Manager DN}" help="/help/security/ldap/managerDN.html">
       <f:textbox name="ldap.managerDN" value="${instance.managerDN}"
       checkUrl="'${rootURL}/securityRealms/LDAPSecurityRealm/serverCheck?field=managerDN&amp;server='+escape(this.form.elements['ldap.server'].value)+'&amp;managerDN='+escape(this.value)+'&amp;managerPassword='+escape(this.form.elements['ldap.managerPassword'].value)"
diff --git a/war/resources/WEB-INF/security/LDAPBindSecurityRealm.groovy b/war/resources/WEB-INF/security/LDAPBindSecurityRealm.groovy
index c56420f..6e19600 100644
--- a/war/resources/WEB-INF/security/LDAPBindSecurityRealm.groovy
+++ b/war/resources/WEB-INF/security/LDAPBindSecurityRealm.groovy
@@ -2,11 +2,11 @@ import org.acegisecurity.providers.ProviderManager
 import org.acegisecurity.providers.anonymous.AnonymousAuthenticationProvider
 import org.acegisecurity.providers.ldap.LdapAuthenticationProvider
 import org.acegisecurity.providers.ldap.authenticator.BindAuthenticator2
-import org.acegisecurity.providers.ldap.populator.DefaultLdapAuthoritiesPopulator
 import org.acegisecurity.ldap.DefaultInitialDirContextFactory
 import org.acegisecurity.ldap.search.FilterBasedLdapUserSearch
 import org.acegisecurity.providers.rememberme.RememberMeAuthenticationProvider
 import hudson.model.Hudson
+import hudson.security.DeferredCreationLdapAuthoritiesPopulator
 
 /*
     Configure LDAP as the authentication realm.
@@ -35,7 +35,7 @@ bindAuthenticator(BindAuthenticator2,initialDirContextFactory) {
     userSearch = ldapUserSearch;
 }
 
-authoritiesPopulator(DefaultLdapAuthoritiesPopulator,initialDirContextFactory,"ou=groups") {
+authoritiesPopulator(DeferredCreationLdapAuthoritiesPopulator,initialDirContextFactory,"ou=groups") {
   // groupRoleAttribute = "ou";
 }