diff --git a/README.md b/README.md
index 16314cf..76215ce 100644
--- a/README.md
+++ b/README.md
@@ -25,16 +25,26 @@ Shipped Version: **1.8**
 ### Guidelines 
 
  1. Require dedicated domain like **kimai.domain.tld**.
- 1. No LDAP support (blocked until upstream implements it)
  1. This app is multi-instance (you can have more then one Kimai instance running on a YunoHost server)
- 
- ### Install
-
- 1. **App can be installed by YunoHost admin interface or by the following command:**
-
-         $ sudo yunohost app install https://github.com/YunoHost-Apps/kimai2_ynh
  1. Login details will be sent to the admin email.
 
+## Documentation
+
+ * Official documentation: https://www.kimai.org/documentation
+
+## YunoHost specific features
+
+#### Multi-users support
+
+LDAP is supported
+HTTP auth is not supporter
+Defaul Kimai2 roles are:
+* ROLE_USER
+* ROLE_TEAMLEAD
+* ROLE_ADMIN
+* ROLE_SUPER_ADMIN
+Those roles are directly managed using YunoHost permission system. User choosen during installation is granted the ROLE_SUPER_ADMIN
+
 #### Supported architectures
 
 * x86-64b - [![Build Status](https://ci-apps.yunohost.org/ci/logs/kimai2%20%28Apps%29.svg)](https://ci-apps.yunohost.org/ci/apps/kimai2/)
diff --git a/conf/local.yaml b/conf/local.yaml
index af25095..1593c47 100644
--- a/conf/local.yaml
+++ b/conf/local.yaml
@@ -123,7 +123,7 @@ kimai:
         role:
             # baseDn to query for groups, MUST be set to activate the "group import"
             # default: empty (deactivated)
-            baseDn: ou=groups, dc=kimai, dc=org
+            baseDn: ou=permission, dc=yunohost, dc=org
             
             # Filter to query user groups, all results will be matched against 
             # the configured "groups" mapping below.
@@ -132,7 +132,7 @@ kimai:
             # The following example rule will be expanded to (for user "foo"):
             # (&(&(objectClass=groupOfNames))(member=foo))
             # default: empty
-            filter: (&(objectClass=groupOfNames))
+            filter: (&(objectClass=posixGroup))
               
             # The following field is taken from the LDAP user entry and its 
             # value is used in the filter above as "valueOfUsernameAttribute".
@@ -154,7 +154,11 @@ kimai:
             # Convert LDAP group name (nameAttribute) to Kimai role
             # You will very likely have to define mappings, unless your groups
             # are called "teamlead", "admin" or "super_admin"
-            #groups:
+            groups:
             #    - { ldap_value: group1, role: ROLE_TEAMLEAD }
             #    - { ldap_value: kimai_admin, role: ROLE_ADMIN }
+                - { ldap_value: __APP__.main, role: ROLE_USER }
+                - { ldap_value: __APP__.teamlead, role: ROLE_TEAMLEAD }
+                - { ldap_value: __APP__.admin, role: ROLE_ADMIN }
+                - { ldap_value: __APP__.super_admin, role: ROLE_SUPER_ADMIN }
 
diff --git a/scripts/install b/scripts/install
index fe33533..ba33256 100755
--- a/scripts/install
+++ b/scripts/install
@@ -119,6 +119,7 @@ ynh_print_info --message="Configuring Kimai 2..."
 
 # Configure registration
 sudo cp ../conf/local.yaml $final_path/config/packages/local.yaml
+ynh_replace_string "__APP__" "$app" "$final_path/config/packages/local.yaml"
 if [ $registration -eq 1  ]
 then
 	ynh_replace_string "__REGISTRATION__" "true" "$final_path/config/packages/local.yaml"
@@ -154,6 +155,7 @@ ynh_print_info --message="Building Kimai 2..."
 
 ynh_install_composer --phpversion="7.3" --workdir="$final_path"
 ynh_composer_exec --phpversion="7.3" --workdir="$final_path" --commands="install --no-dev --optimize-autoloader"
+ynh_composer_exec --phpversion="7.3" --workdir="$final_path" --commands="require zendframework/zend-ldap"
 
 pushd "$final_path"
 	php7.3 bin/console kimai:install -n
@@ -190,11 +192,15 @@ chown -R $app: $final_path
 #=================================================
 ynh_print_info --message="Configuring SSOwat..."
 
+ynh_permission_create --permission="teamlead"
+ynh_permission_create --permission="admin"
+ynh_permission_create --permission="super_admin" --allowed "$admin"
+
 # Make app public if necessary
 if [ $is_public -eq 1 ]
 then
 	# unprotected_uris allows SSO credentials to be passed anyway.
-	ynh_app_setting_set --app=$app --key=unprotected_uris --value="/"
+	ynh_permission_update --permission "main" --add "visitors"
 fi
 
 #=================================================
diff --git a/scripts/upgrade b/scripts/upgrade
index a8f0ec0..09606b5 100755
--- a/scripts/upgrade
+++ b/scripts/upgrade
@@ -197,6 +197,7 @@ ynh_print_info --message="Upgrading Kimai 2..."
 
 ynh_install_composer --phpversion="7.3" --workdir="$final_path"
 ynh_composer_exec --phpversion="7.3" --workdir="$final_path" --commands="install --no-dev --optimize-autoloader"
+ynh_composer_exec --phpversion="7.3" --workdir="$final_path" --commands="require zendframework/zend-ldap"
 
 pushd "$final_path"
 	php7.3 bin/console kimai:update
@@ -226,11 +227,13 @@ chown -R $app: $final_path
 #=================================================
 ynh_print_info --message="Upgrading SSOwat configuration..."
 
+ynh_permission_create --permission="super_admin" --allowed "$admin"
+
 # Make app public if necessary
 if [ $is_public -eq 1 ]
 then
-	# unprotected_uris allows SSO credentials to be passed anyway
-	ynh_app_setting_set --app=$app --key=unprotected_uris --value="/"
+	# unprotected_uris allows SSO credentials to be passed anyway.
+	ynh_permission_update --permission "main" --add "visitors"
 fi
 
 #=================================================