diff --git a/src/www/system_authservers.php b/src/www/system_authservers.php
index c52315fef..b3689cc41 100644
--- a/src/www/system_authservers.php
+++ b/src/www/system_authservers.php
@@ -89,6 +89,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
                 $pconfig['ldap_bindpw'] = $a_server[$id]['ldap_bindpw'];
             }
             $pconfig['ldap_read_properties'] = !empty($a_server[$id]['ldap_read_properties']);
+            $pconfig['ldap_sync_memberof'] = !empty($a_server[$id]['ldap_sync_memberof']);
         } elseif ($pconfig['type'] == "radius") {
             $pconfig['radius_host'] = $a_server[$id]['host'];
             $pconfig['radius_auth_port'] = $a_server[$id]['radius_auth_port'];
@@ -240,6 +241,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
                   }
               }
               $server['ldap_read_properties'] = !empty($pconfig['ldap_read_properties']);
+              $server['ldap_sync_memberof'] = !empty($pconfig['ldap_sync_memberof']);
           } elseif ($server['type'] == "radius") {
               $server['host'] = $pconfig['radius_host'];
 
@@ -310,7 +312,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
 $all_authfields = array(
     'type','name','ldap_caref','ldap_host','ldap_port','ldap_urltype','ldap_protver','ldap_scope',
     'ldap_basedn','ldap_authcn','ldap_extended_query','ldap_binddn','ldap_bindpw','ldap_attr_user',
-    'ldap_read_properties', 'radius_host',
+    'ldap_read_properties', 'ldap_sync_memberof', 'radius_host',
     'radius_auth_port','radius_acct_port','radius_secret','radius_timeout','radius_srvcs'
 );
 
@@ -478,6 +480,14 @@ $( document ).ready(function() {
             }, "json");
         }
     });
+    $("#ldap_read_properties").change(function(){
+        if ($(this).is(":checked")) {
+            $("#ldap_sync_memberof").prop('disabled', false);
+        } else {
+            $("#ldap_sync_memberof").prop('disabled', true);
+        }
+    });
+    $("#ldap_read_properties").change();
 });
 </script>
 
@@ -746,6 +756,18 @@ endif; ?>
                     </div>
                   </td>
                 </tr>
+                <tr class="auth_ldap auth_ldap-totp auth_options hidden">
+                  <td><a id="help_for_ldap_sync_memberof" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext('Synchronize groups'); ?></td>
+                  <td>
+                    <input id="ldap_sync_memberof" name="ldap_sync_memberof" type="checkbox" <?= empty($pconfig['ldap_sync_memberof']) ? '' : 'checked="checked"';?> />
+                    <div class="hidden" data-for="help_for_ldap_sync_memberof">
+                      <?= gettext("Synchronize groups specified by memberOf attribute after login, this option requires to enable read properties. ".
+                                  "Groups will be extracted from the first CN= section and will only be considered when already existing in OPNsense. ".
+                                  "Group memberships will be persisted in OPNsense. ".
+                                  "Use the server test tool to check if memberOf is returned by your LDAP server before enabling.");?>
+                    </div>
+                  </td>
+                </tr>
                 <!-- RADIUS -->
                 <tr class="auth_radius auth_options hidden">
                   <td><i class="fa fa-info-circle text-muted"></i> <?=gettext("Hostname or IP address");?></td>
