diff --git a/hosts/hydra/default.nix b/hosts/hydra/default.nix
index af07c907..6bdd6fb0 100644
--- a/hosts/hydra/default.nix
+++ b/hosts/hydra/default.nix
@@ -170,7 +170,7 @@ in
                 # Important for role mappings to work:
                 use_roles = 1
                 role_basedn = "ou=groups,dc=c3d2,dc=de"
-                role_filter = "(&(objectclass=group)(%s))"
+                role_filter = "(&(objectclass=groupOfNames)(cn=hydra-admins))"
                 role_scope = one
                 role_field = cn
                 role_value = dn
@@ -182,6 +182,7 @@ in
             <role_mapping>
               # maps directly to user roles
               # Make all users in the hydra-admin group Hydra admins
+              # IMPORTANT: if new groups are used, they need to be added to the role_filter above
               hydra-admins = admin
               # Allow all users in the dev group to restart jobs and cancel builds
               #dev = restart-jobs