The query send to the LDAP server to search groups. Variable uid is replaced with the name of the authenticated user.

Here is a examples:

uid=${uid}
Used in standard LDAP servers.
sAMAccountName=${uid}
Used in LDAP servers compatible with Active Directory.

This is optional, but causes some functional limitations without configuration (e.g. "Remember me" doesn't work, cannot use group authorization).