diff --git a/README.md b/README.md
index 6e9b5186bf7099b2eeb87f6df46572a2d221246e..d00760cf33b6695fa16ecacaea1c64db78dcbcb5 100644
--- a/README.md
+++ b/README.md
@@ -41,6 +41,15 @@ The code snippet above disables the actual SSO. If you need it:
   - change `DO_YOU_WANT_SSO` to True
   - see the SSO configuration section
 
+
+#### Groups
+To receive groups over SSO you need a mapping. You can manage group mapping with `group_mapping` management command. Example:
+    
+    group_mapping add myproject_superusers "CN=MyProjectSuperusers,OU=Foo,OU=Bar,DC=fh-h,DC=de"
+
+*Groups are not mapped automatically. Because automatic mapping can pose security risks. Imagine auto-mapping that expects group with name "Superusers"; an intruder could create a new group with this name under any path they own and/or create an alias/reference and receive superuser permissions in your project.* 
+
+
 #### Production setup
 
 ```python
diff --git a/ssoauth/auth_utils.py b/ssoauth/auth_utils.py
index 0fbef01367a74ac18704c468c03f8bd7685d1331..c6bd5c89ae103961ee82d538f3e8102ebb4d4d74 100644
--- a/ssoauth/auth_utils.py
+++ b/ssoauth/auth_utils.py
@@ -10,9 +10,6 @@ import functools
 import re
 
 
-EXTRACT_RDN = re.compile(r"^\w+=(\w+),.+$", re.IGNORECASE)  # RDN is in the first regex group
-
-
 def _validate_username(username):
     assert isinstance(username, str)
     assert username.islower()
@@ -96,13 +93,6 @@ def update_user_data(user, surname=None, forename=None, email=None):
     user.save()
 
 
-def extract_rdn(dn):
-    """ Extracts group name from the DN. """
-    match = EXTRACT_RDN.search(dn)
-    assert match, "Received something weird instead of a DN: {group_dn}".format(**locals())
-    return match.group(1)
-
-
 def set_user_groups(user, group_dn_list):
     """ Updates groups for the user. """
     # using Q to create ignore-case DN lookup since DS is case insensitive
@@ -118,7 +108,7 @@ def set_user_groups(user, group_dn_list):
         assert set(user.groups.all()) == set(groups)  # dunno how relation.set() behaves, better safe than sorry
         logger.info("Groups for {user} are updated to: {groups}".format(user=user, groups=", ".join(g.name for g in groups)))
     logger.debug("User {user} has {g_n} group(s) based on {dn_n} DN(s): {g_names}".format(
-        user=user, g_n=len(groups), g_names=", ".join(str(g) for g in groups), dn_n=len(group_dn_list)))
+        user=user, g_n=len(groups), g_names=", ".join(str(g) for g in groups) or "(none)", dn_n=len(group_dn_list)))
 
 
 def cleanup_direct_permissions(user):