diff --git a/README.md b/README.md
index 7cc5240..2d2a5a8 100644
--- a/README.md
+++ b/README.md
@@ -1,4 +1,3 @@
-
 # Free Overleaf Ldap Implementation
 
 This repo contains an improved, free ldap authentication and authorisation 
@@ -80,9 +79,9 @@ LDAP_SERVER: ldaps://LDAPSERVER:636
 LDAP_BASE: dc=DOMAIN,dc=TLD
 LDAP_BIND_USER: cn=ldap_reader,dc=DOMAIN,dc=TLS
 LDAP_BIND_PW: TopSecret
-# By default tries to bind directly with the ldap user - this user has to be in the LDAP GROUP
-# you have to set a group filter a minimal groupfilter would be: '(objectClass=person)'
-LDAP_GROUP_FILTER: '(memberof=GROUPNAME,ou=groups,dc=DOMAIN,dc=TLD)'
+# users need to match this filter to login.
+#All occurrences of `%u` get replaced by the entered uid.
+LDAP_USER_FILTER: '(memberof=GROUPNAME,ou=groups,dc=DOMAIN,dc=TLD)(uid=%u)'
 
 # If user is in ADMIN_GROUP on user creation (first login) isAdmin is set to true. 
 # Admin Users can invite external (non ldap) users. This feature makes only sense 
diff --git a/docker-compose.certbot.yml b/docker-compose.certbot.yml
index ecb2f32..4b3ec6e 100644
--- a/docker-compose.certbot.yml
+++ b/docker-compose.certbot.yml
@@ -58,8 +58,8 @@ services:
             LDAP_SERVER: ldaps://LDAPSERVER:636
             LDAP_BASE: ou=people,dc=DOMAIN,dc=TLD
             LDAP_BINDDN: ou=someunit,ou=people,dc=DOMAIN,dc=TLS
-            # By default tries to bind directly with the ldap user - this user has to be in the LDAP GROUP
-            LDAP_GROUP_FILTER: '(memberof=cn=GROUPNAME,ou=groups,dc=DOMAIN,dc=TLD)'
+            # Binds with the LDAP_BIND_USER and searches for users matching this filter:
+            LDAP_USER_FILTER: '(memberof=cn=GROUPNAME,ou=groups,dc=DOMAIN,dc=TLD)(uid=%u)'
 
             # If user is in ADMIN_GROUP on user creation (first login) isAdmin is set to true. 
             # Admin Users can invite external (non ldap) users. This feature makes only sense 
@@ -71,6 +71,7 @@ services:
             # All users in the LDAP_GROUP_FILTER are loaded from the ldap server into contacts.
             # This LDAP search happens without bind. If you want this and your LDAP needs a bind you can 
             # adapt this in the function getLdapContacts() in ContactsController.js (lines 82 - 107)
+            LDAP_GROUP_FILTER: '(memberof=cn=GROUPNAME,ou=groups,dc=DOMAIN,dc=TLD)'
             LDAP_CONTACTS: 'false'
 
             # Same property, unfortunately with different names in
diff --git a/docker-compose.traefik.yml b/docker-compose.traefik.yml
index 9c1546e..500ec19 100644
--- a/docker-compose.traefik.yml
+++ b/docker-compose.traefik.yml
@@ -135,15 +135,14 @@ services:
             
             LDAP_SERVER: ldaps://LDAPSERVER:636
             LDAP_BASE: ou=people,dc=DOMAIN,dc=TLD
-            LDAP_BINDDN: ou=someunit,ou=people,dc=DOMAIN,dc=TLS
-            
-            # By default tries to bind directly with the ldap user - this user has to be in the LDAP GROUP
-            # LDAP_GROUP_FILTER: '(memberof=cn=GROUPNAME,ou=groups,dc=DOMAIN,dc=TLD)'
-            LDAP_GROUP_FILTER: '(memberof=cn=GROUPNAME,ou=groups,dc=DOMAIN,dc=TLD)'
+            #LDAP_BINDDN: ou=someunit,ou=people,dc=DOMAIN,dc=TLS
 
-            # If user is in ADMIN_GROUP on user creation (first login) isAdmin is set to true. 
-            # Admin Users can invite external (non ldap) users. This feature makes only sense 
-            # when ALLOW_EMAIL_LOGIN is set to 'true'. Additionally admins can send 
+            # # Binds with the LDAP_BIND_USER and searches for users matching this filter:
+            LDAP_USER_FILTER: '(memberof=cn=GROUPNAME,ou=groups,dc=DOMAIN,dc=TLD)(uid=%u)'
+
+            # If user is in ADMIN_GROUP on user creation (first login) isAdmin is set to true.
+            # Admin Users can invite external (non ldap) users. This feature makes only sense
+            # when ALLOW_EMAIL_LOGIN is set to 'true'. Additionally admins can send
             # system wide messages.
             LDAP_ADMIN_GROUP_FILTER: '(memberof=cn=ADMINGROUPNAME,ou=groups,dc=DOMAIN,dc=TLD)'
             ALLOW_EMAIL_LOGIN: 'true'
@@ -151,6 +150,7 @@ services:
             # All users in the LDAP_GROUP_FILTER are loaded from the ldap server into contacts.
             # This LDAP search happens without bind. If you want this and your LDAP needs a bind you can 
             # adapt this in the function getLdapContacts() in ContactsController.js (lines 82 - 107)
+            LDAP_GROUP_FILTER: '(memberof=cn=GROUPNAME,ou=groups,dc=DOMAIN,dc=TLD)'
             LDAP_CONTACTS: 'false'
 
             # Same property, unfortunately with different names in
diff --git a/ldap-overleaf-sl/sharelatex/AuthenticationManager.js b/ldap-overleaf-sl/sharelatex/AuthenticationManager.js
index 5869efa..a2b12f9 100644
--- a/ldap-overleaf-sl/sharelatex/AuthenticationManager.js
+++ b/ldap-overleaf-sl/sharelatex/AuthenticationManager.js
@@ -276,7 +276,7 @@ const AuthenticationManager = {
     const ldap_base = process.env.LDAP_BASE
     var uid = query.email
     const replacer = new RegExp("%u", "g")
-    const filterstr = process.env.LDAP_GROUP_FILTER.replace(replacer, ldapEscape.filter`${uid}`) //replace all appearances
+    const filterstr = process.env.LDAP_USER_FILTER.replace(replacer, ldapEscape.filter`${uid}`) //replace all appearances
     console.log("filterstr:" + filterstr)
     var userDn = "" //ldapEscape.filter`uid=${uid}` + ',' + ldap_bd;
     var mail = ""