diff --git a/inc/inc.ClassLdapAuthentication.php b/inc/inc.ClassLdapAuthentication.php
index 9c8f4f552..92a2c3871 100644
--- a/inc/inc.ClassLdapAuthentication.php
+++ b/inc/inc.ClassLdapAuthentication.php
@@ -26,7 +26,55 @@ class SeedDMS_LdapAuthentication extends SeedDMS_Authentication {
 
   var $dms;
 
-  var $settings;
+	var $settings;
+
+	protected function addUser($username, $info) {
+		return $this->dms->addUser($username, null, $info['cn'][0], $info['mail'][0], $settings->_language, $settings->_theme, "", 0);
+	}
+
+	protected function updateUser($user, $info) {
+		if(isset($info['cn'][0]) && ($info['cn'][0] != $user->getFullName())) {
+			$user->setFullName($info['cn'][0]);
+		}
+		if(isset($info['mail'][0]) && ($info['mail'][0] != $user->getEmail())) {
+			$user->setEmail($info['mail'][0]);
+		}
+	}
+
+	protected function syncGroups($user, $ldapgroups) {
+		$groupnames = [];
+		$count = 0;
+		if(isset($ldapgroups['count']))
+			$count = (int) $ldapgroups['count'];
+		for ($i = 0; $i < $count; $i++) {
+			$tmp = ldap_explode_dn($ldapgroups[$i], 1);
+			if (!in_array($tmp[0], $groupnames)) {
+				$groupnames[] = $tmp[0];
+			}
+		}
+
+		/* Remove user from all groups not listed in LDAP */
+		$usergroups = $user->getGroups();
+		foreach($usergroups as $usergroup) {
+			if(!in_array($usergroup->getName(), $groupnames))
+				$user->leaveGroup($usergroup);
+		}
+
+		/* Add new groups and make user a member of it */
+		if($groupnames) {
+			foreach($groupnames as $groupname) {
+				$group = $this->dms->getGroupByName($groupname);
+				if($group) { /* Group already exists, just join it */
+					$user->joinGroup($group);
+				} else { /* Add group and join it */
+					$newgroup = $this->dms->addGroup($groupname, 'Added during LDAP Authentication');
+					if($newgroup) {
+						$user->joinGroup($newgroup);
+					}
+				}
+			}
+		}
+	}
 
   public function __construct($dms, $settings) { /* {{{ */
     $this->dms = $dms;
@@ -115,35 +163,57 @@ class SeedDMS_LdapAuthentication extends SeedDMS_Authentication {
 				$dn = $tmpDN;
 			}
 
-			/* Now do the actual authentication of the user */
-			$bind = @ldap_bind($ds, $dn, $password);
+			/* Check if user already exists in the database. Return with an error
+			 * only if the sql statements fails, but not if no user was found.
+			 */
 			$user = $dms->getUserByLogin($username);
 			if($user === false) {
 				ldap_close($ds);
 				return false;
 			}
-			if ($bind) {
-				// Successfully authenticated. Now check to see if the user exists within
-				// the database. If not, add them in if _restricted is not set,
-				// but do not add their password.
-				if (is_null($user) && !$settings->_restricted) {
-					// Retrieve the user's LDAP information.
-					if (isset($settings->_ldapFilter) && strlen($settings->_ldapFilter) > 0) {
-						$search = ldap_search($ds, $settings->_ldapBaseDN, "(&(".$ldapSearchAttribut.$username.")".$settings->_ldapFilter.")");
-					} else {
-						$search = ldap_search($ds, $settings->_ldapBaseDN, $ldapSearchAttribut.$username);
-					}
 
-					if (!is_bool($search)) {
-						$info = ldap_get_entries($ds, $search);
+			/* Now do the actual authentication of the user */
+			$bind = @ldap_bind($ds, $dn, $password);
+			if (!$bind) {
+				ldap_close($ds);
+				return false;
+			}
 
-						if (!is_bool($info) && $info["count"]==1 && $info[0]["count"]>0) {
-							$user = $dms->addUser($username, null, $info[0]['cn'][0], $info[0]['mail'][0], $settings->_language, $settings->_theme, "", 3);
+			// Successfully authenticated. Now check to see if the user exists within
+			// the database. If not, add them in if _restricted is not set,
+			// but do not add their password.
+			if (!$settings->_restricted) {
+				// Retrieve the user's LDAP information.
+				if (isset($settings->_ldapFilter) && strlen($settings->_ldapFilter) > 0) {
+					$search = ldap_search($ds, $settings->_ldapBaseDN, "(&(".$ldapSearchAttribut.$username.")".$settings->_ldapFilter.")");
+				} else {
+					$search = ldap_search($ds, $settings->_ldapBaseDN, $ldapSearchAttribut.$username);
+				}
+
+				if (!is_bool($search)) {
+					$info = ldap_get_entries($ds, $search);
+
+					if (!is_bool($info) && $info["count"]==1 && $info[0]["count"]>0) {
+						if (is_null($user)) {
+							$user = $this->addUser($username, $info[0]);
+						} else {
+							$this->updateUser($user, $info[0]);
+						}
+						/*
+						$this->syncGroups($user, [
+							'count'=>4,
+							0=>'CN=vergussmaschine_networkfolder,OU=groups,OU=sanube,DC=SALLABERGER,DC=local',
+							1=>'CN=Limesurvey,OU=groups,OU=sanube,DC=SALLABERGER,DC=local',
+							2=>'CN=Altium365,OU=groups,OU=sanube,DC=SALLABERGER,DC=local',
+							3=>'CN=Domain Admins,OU=groups,OU=sanube,DC=SALLABERGER,DC=local'
+						]
+						);
+						 */
+						if(!empty($settings->_ldapGroupField) && !empty($info[0][$settings->_ldapGroupField])) {
+							$this->syncGroups($user, $info[0][$settings->_ldapGroupField]);
 						}
 					}
 				}
-			} elseif($user) {
-				$user = false;
 			}
 			ldap_close($ds);
 
diff --git a/inc/inc.ClassSettings.php b/inc/inc.ClassSettings.php
index 34b86e5ed..e36fec8f9 100644
--- a/inc/inc.ClassSettings.php
+++ b/inc/inc.ClassSettings.php
@@ -373,6 +373,9 @@ class Settings { /* {{{ */
 	// Used only by AD <username>@_ldapAccountDomainName will be used for a bind
 	// when the user is validated
 	var $_ldapAccountDomainName = "";
+	// Name of the ldap field containing the groups of the user, e.g. memeberOf
+	// This field must contain the DN of the groups
+	var $_ldapGroupField = "";
 	// Type of Ldap server: 0 = ldap; 1 = AD
 	var $_ldapType = 1;
 	// Additional filter when searching for the user. If not set, the user will be searched
@@ -704,6 +707,7 @@ class Settings { /* {{{ */
 				$this->_ldapBindPw = strVal($connectorNode["bindPw"]);
 				$this->_ldapType = 0;
 				$this->_ldapFilter = strVal($connectorNode["filter"]);
+				$this->_ldapGroupField = strVal($connectorNode["groupField"]);
 			}
 			else if ($params['enable'] && ($typeConn == "AD"))
 			{
@@ -715,6 +719,7 @@ class Settings { /* {{{ */
 				$this->_ldapType = 1;
 				$this->_ldapFilter = strVal($connectorNode["filter"]);
 				$this->_ldapAccountDomainName = strVal($connectorNode["accountDomainName"]);
+				$this->_ldapGroupField = strVal($connectorNode["groupField"]);
 			}
 		}
 
diff --git a/views/bootstrap/class.Info.php b/views/bootstrap/class.Info.php
index 4b4bb439f..7259e5403 100644
--- a/views/bootstrap/class.Info.php
+++ b/views/bootstrap/class.Info.php
@@ -140,6 +140,7 @@ class SeedDMS_View_Info extends SeedDMS_Theme_Style {
 			echo "<th>".getMLText("directory_check_result")."</th>\n";
 			echo "</tr>\n</thead>\n<tbody>\n";
 			check_result('directory_check_ext_exists', is_dir($settings->_rootDir."/ext"));
+			check_result('directory_check_ext_below_docroot', is_dir($_SERVER['DOCUMENT_ROOT']."/ext"));
 			check_result('directory_check_ext_writable', is_writable($settings->_rootDir."/ext"));
 			check_result('directory_check_data_exists', is_dir($settings->_contentDir));
 			check_result('directory_check_data_writable', is_writable($settings->_contentDir));