diff --git a/apps/emqx_dashboard_sso/src/emqx_dashboard_sso_ldap.erl b/apps/emqx_dashboard_sso/src/emqx_dashboard_sso_ldap.erl
index 395deea7d..d6acbb164 100644
--- a/apps/emqx_dashboard_sso/src/emqx_dashboard_sso_ldap.erl
+++ b/apps/emqx_dashboard_sso/src/emqx_dashboard_sso_ldap.erl
@@ -106,23 +106,19 @@ ensure_bind_password(Config) ->
     Config#{bind_password => <<"${password}">>}.
 
 adjust_ldap_fields(Fields) ->
-    adjust_ldap_fields(Fields, []).
+    lists:map(fun adjust_ldap_field/1, Fields).
 
-adjust_ldap_fields([{filter, Meta} | T], Acc) ->
-    adjust_ldap_fields(
-        T,
-        [
-            {filter, Meta#{
-                default => <<"(objectClass=user)">>,
-                example => <<"(objectClass=user)">>
-            }}
-            | Acc
-        ]
-    );
-adjust_ldap_fields([Any | T], Acc) ->
-    adjust_ldap_fields(T, [Any | Acc]);
-adjust_ldap_fields([], Acc) ->
-    lists:reverse(Acc).
+adjust_ldap_field({base_dn, Meta}) ->
+    {base_dn, maps:remove(example, Meta)};
+adjust_ldap_field({filter, Meta}) ->
+    Default = <<"(& (objectClass=person) (uid=${username}))">>,
+    {filter, Meta#{
+        desc => ?DESC(filter),
+        default => Default,
+        example => Default
+    }};
+adjust_ldap_field(Any) ->
+    Any.
 
 login(
     #{<<"username">> := Username} = Req,
diff --git a/rel/i18n/emqx_dashboard_sso_ldap.hocon b/rel/i18n/emqx_dashboard_sso_ldap.hocon
index f15975416..db837c81b 100644
--- a/rel/i18n/emqx_dashboard_sso_ldap.hocon
+++ b/rel/i18n/emqx_dashboard_sso_ldap.hocon
@@ -8,4 +8,11 @@ query_timeout.desc:
 
 query_timeout.label:
 """Query Timeout"""
+
+filter.desc:
+"""The filter for matching users in LDAP is by default `(&(objectClass=person)(uid=${username}))`. For Active Directory, it should be set to `(&(objectClass=user)(sAMAccountName=${username}))` by default. Please refer to [LDAP Filters](https://ldap.com/ldap-filters/) for more details."""
+
+filter.label:
+"""Filter"""
+
 }