diff --git a/cmd/portunus-orchestrator/config.go b/cmd/portunus-orchestrator/config.go
index 4db19f2..290128a 100644
--- a/cmd/portunus-orchestrator/config.go
+++ b/cmd/portunus-orchestrator/config.go
@@ -23,7 +23,7 @@ type valueCheck struct {
 }
 
 var (
-	userOrGroupPattern = `^[a-z_][a-z0-9_-]*\$?$`
+	userOrGroupPattern = `^[a-z_][a-z0-9._-]*\$?$`
 	envDefaults        = map[string]string{
 		//empty value = not optional
 		"PORTUNUS_DEBUG":              "false",
diff --git a/internal/grammars/grammars.go b/internal/grammars/grammars.go
index 1253c05..e458fd0 100644
--- a/internal/grammars/grammars.go
+++ b/internal/grammars/grammars.go
@@ -39,7 +39,7 @@ const (
 	// This regex is based on the respective format description in the useradd(8) manpage.
 	//
 	// This is only shown for documentation purposes here; use func IsPOSIXAccountName instead.
-	POSIXAccountNameRegex = `^[a-z_][a-z0-9_-]*\$?$`
+	POSIXAccountNameRegex = `^[a-z_][a-z0-9._-]*\$?$`
 )
 
 //TODO There is also some `import "regexp"` in cmd/orchestrator/ldap.go to render
@@ -159,7 +159,7 @@ func checkByteInPOSIXAccountName(idx, length int, b byte) bool {
 	switch {
 	case (b >= 'a' && b <= 'z') || b == '_':
 		return true
-	case (b >= '0' && b <= '9') || b == '-':
+	case (b >= '0' && b <= '9') || b == '-' || b == '.':
 		return idx != 0 // not allowed at start
 	default:
 		return false