DEPRECATION WARNING

This documentation is not using the current rendering mechanism and is probably outdated. The extension maintainer should switch to the new system. Details on how to use the rendering mechanism can be found here.

# FE_GROUPS and BE_GROUPS¶

The fourth and sixth tabs can be filled exactly the same way. The only difference between them is that FE_GROUPS stores the configurations for the frontend LDAP user group association and BE_GROUPS stores the configurations for the backend LDAP user group association.

You may only fill the sections you need; that is, FE_GROUPS if you need frontend authentication and BE_GROUPS if you need backend authentication.

You should skip this entire section if you just want to validate the authentication and do not want to use any groups coming from LDAP.

Sections:

## Base DN¶

Full DN path of the directory containing all the groups that are related to your LDAP users and you want to use in your TYPO3 website.

Example:

ou=groups,dc=example,dc=com


Caution

Be sure you do not include any blank space between the DN’s arguments, e.g.,

ou=groups, dc=example, dc=com


because this will break the membership since LDAP servers are returning a DN without any blank space and this extension is doing a simple string comparison as a security measure.

## Filter¶

Filter to be used to add restrictions that allow you to exclude objects from specific properties. The syntax used in this field is the standard LDAP search syntax.

This field should not be left empty although it is not marked as required. Be sure to always double-check your configuration using the wizard in the backend module.

Example:

(objectClass=posixGroup)


Note

The string {USERDN} will be substituted by the Distinguished Name (DN) of the authenticated user, the string {USERUID} will be substituted by the uid attribute of the authenticated user.

Hint

When using OpenLDAP, the group membership is usually stored within attribute memberUid of the group itself, and not within attribute memberOf of the user. In order to properly retrieve and associate groups for the user, you should use a filter of the form:

(&(memberUid={USERUID})(objectClass=posixGroup))


Warning

When using ActiveDirectory, you typically set the option Relation between groups and users to User contains the list of its associated groups. If so, you must add a line mapping the “usergroup” for your user. This mapping will not be actually used by TYPO3 but will let the LDAP engine know which attribute is used to evaluate the group membership.

Example:

usergroup = <memberOf>


Important: This is a user mapping instruction.

If you forget to do so, every group in LDAP will be imported to TYPO3 and your user will be a member of each and every one.

## Mapping¶

Mapping to be used to fetch other attributes form the LDAP server that we would like groups to have. Please see syntax and examples in the description of mapping for users.