FE_GROUPS and BE_GROUPS¶
The fourth and sixth tabs can be filled exactly the same way. The only difference between them is that FE_GROUPS stores the configurations for the frontend LDAP user group association and BE_GROUPS stores the configurations for the backend LDAP user group association.
You may only fill the sections you need; that is, FE_GROUPS if you need frontend authentication and BE_GROUPS if you need backend authentication.
You should skip this entire section if you just want to validate the authentication and do not want to use any groups coming from LDAP.
Sections:
Base DN¶
Full DN path of the directory containing all the groups that are related to your LDAP users and you want to use in your TYPO3 website.
Example:
ou=groups,dc=example,dc=com
Filter¶
Filter to be used to add restrictions that allow you to exclude objects from specific properties. The syntax used in this field is the standard LDAP search syntax.
This field should not be left empty although it is not marked as required. Be sure to always double-check your configuration using the wizard in the backend module.
Example:
(objectClass=posixGroup)
Note
The string {USERDN} will be substituted by the Distinguished Name (DN) of the authenticated user, the string
{USERUID} will be substituted by the uid attribute of the authenticated user.
Hint
When using OpenLDAP, the group membership is usually stored within attribute memberUid of the group itself,
and not within attribute memberOf of the user. In order to properly retrieve and associate groups for the user,
you should use a filter of the form:
(&(memberUid={USERUID})(objectClass=posixGroup))
Warning
When using ActiveDirectory, you typically set the option Relation between groups and users to
User contains the list of its associated groups. If so, you must add a line mapping the “usergroup” for
your user. This mapping will not be actually used by TYPO3 but will let the LDAP engine know which attribute is
used to evaluate the group membership.
Example:
usergroup = <memberof>
Important: This is a user mapping instruction.
If you forget to do so, every group in LDAP will be imported to TYPO3 and your user will be a member of each and every one.
Mapping¶
Mapping to be used to fetch other attributes form the LDAP server that we would like groups to have. Please see syntax and examples in the description of mapping for users.