How to get Active Directory Groups working with TikiWiki
So I have seen a number of questions revoloving around this issue, most get stuck authenticating against AD for login on TikiWiki. I have that working without issue.
The problem that I am facing is that there is supposed to be an integration with the Groups in AD so that I can assign privileges and access rights within the Tiki for those groups. Nothing that I have done allows me to pull in the group info, so I cannot segregate them apart without using internal (Tiki only) groups and assigning them after the users log in. In a large company that would be painfully tedious....
Here are screenshots of my LDAP tab and LDAP External Groups tab, sensitive info redacted of course. If I am missing something or have something misconfigured, please help. I followed the walk-through here to set everything up: https://tiki.org/forumthread42893. TikiWiki version is 15.2 (current stable)
LDAP Settings
LDAP External Group Settings
I finally figured that out. This works for me on Tikiwiki 16.2:
1. In General Preferences tab:
- Authentication method section, select Tiki and LDAP
- Uncheck Forgot password
- Uncheck Users can change their password
2. In LDAP tab, set up as following (you may need to switch the Advanced mode on to see more settings):
LDAP
- If user does not exist in Tiki: Create the user
- Uncheck Create user if not in LDAP
- Check Use Tiki authentication for Admin login
LDAP Bind settings
- Host: ldap://
- Port: 389
- Write LDAP debug Information in Tiki Logs:
- LDAP Bind Type: Active Directory (username@domain)
- Search scope: Subtree
- LDAP version: 3
- Base DN: DC=MYDOMAIN,DC=COM
LDAP User
- User DN: OU=All Users (If you want to pull users from a specific OU, if not, leave blank, also remember to omit the Base DN part)
- User attribute: sAMAccountName
- User OC: person
- Realname attribute: displayName
- Country attribute:
- Email attribute: userPrincipalName
LDAP Admin
- Admin user: admin@mydomain.com (in the form of @)
- Admin password:
3. In LDAP external groups tab, setup as following:
LDAP external groups
- Uncheck Use an external LDAP server for groups
LDAP Bind settings
- Host: ldap://
- Port: 389
- Check Write LDAP debug Information in Tiki Logs
- Uncheck Use SSL (ldaps) (Because I don't user SSL)
- Uncheck Use TLS (Because I don't use TLS)
- LDAP Bind Type: Active Directory (username@domain)
- Search scope: Subtree
- LDAP version: 3
- Base DN: DC=MYDOMAIN,DC=COM
LDAP User
- User DN: OU=All Users (If you want to pull users from a specific OU, if not, leave blank, also remember to omit the Base DN part)
- User attribute: sAMAccountName
- Corresponding user attribute in 1st directory: sAMAccountName
- User OC: person
- Check Synchronize Tiki groups with a directory (important)
LDAP Group
- Group DN: (Set Group DN to the specific OU you wish to pull groups from, ifyou wish to use the whole directory, leave blank. Note that as far as I can tell if you specify something here it will only pull from that specific OU, not members of that OU. For example a setting of ou=IT,ou=Authorized Users will pull groups from the Authorized Users\IT organizational unit, but will not pull from the Authorized Users\IT\Admins (ou=Admins,ou=IT,ou=Authorized Users) OU. There may be something to modify this behavior, but I haven't found it. Again, a blank setting will acquire all group information.)
- Group name attribute: sAMAccountName
- Group description attribute: description
- Group OC: group
- Check Synchronize Tiki users with a directory
LDAP Group Member - if group membership can be found in group attributes
- Member attribute: member
- Check Member is DN
LDAP User Group - if group membership can be found in user attributes
- Group attribute: memberOf
- Group attribute in group entry: cn
LDAP Admin
- Admin user: admin@mydomain.com (in the form of @)
- Admin password:
4. Click Apply and enjoy
From now on, whenever a user login, all the groups where she belongs will be created on Tikiwiki if they aren't there yet.
I also wrote an article here: http://www.dangtrinh.com/2017/04/ldap-authentication-with-active.html
- Logon Batch Script Running for Standard Users but not Admins
- What are CN, OU, DC in an LDAP search?
- PHP LDAP query to get members of specific security Group
- How to authenticate User Credentials against AD from Android Java
- Is there any way to get VBA to get the current user's Full Name from a Windows user account without using CMD?
- LDAP Query via Windows CMD
- powershell foreach-object parallel - Not all properties of piped in object are available
- VBScript: Using WScript.Shell to Execute a Command Line Program That Accesses Active Directory
- Getting Active Directory "SecurityDescriptor" attribute in .net core on linux machine
- Set default server in powershell for AD related commands
- Batch Scripting - Wait until network Established
- ADFS Metadata not accessible from outside
- "é" become "ã©" while using ldap_modify_batch() in php
- Why creating new user and roaming profile creation will result error logging in?
- Having trouble making UserPrincipalName all lowercase in Powershell
- How to Compare Sets of Users
- How to keep the shell window open after running a PowerShell script?
- ExemptFileTypeDownloadWarnings correct registry syntax for intranet URLs
- How do I modify a Boolean LDAP Active Directory attribute using Net::LDAP?
- Get-ACL of Deleted Objects Container
- What is the maximum length of a SID in SDDL format
- IIS "Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'" SQL connection error, but only for 1 user
- How can I make sure this is a secure LDAP connection and write AD's unicodePwd attribute?
- Windows Property Pages: Domain Path Not Shown on Security Tab
- Azure Entra ID tokens endpoint issues an expired token
- NativeObject try-catch does not catch a timed out error
- Getting "The server could not be contacted." when trying to access active directory
- Can't figure out how to delete a specific computer from AD using power shell. Can't find any solution anywhere
- Powershell - Create new user accounts from CSV & simultaneously populate these new accounts with template account info (Address & group membership)
- Unknown Error (0x80005000) with LDAPS Connection