LDAP authentication (and groups mapping) with Active Directory that works in Tiki Wiki 16.2

To make the LDAP authentication with MS Active  Directory works in Tiki Wiki 16.2, I have to do the set up both in LDAP and LDAP external groups tabs.

1. In Settings > Control Panels > Log in




2. In General Preferences tab:


  • Authentication method section, select Tiki and LDAP 
  • Uncheck Forgot password
  • Uncheck Users can change their password   
  • click Apply


3. In LDAP tab, set up as following (you may need to switch the Advanced mode on to see more settings):
  • LDAP
    • If user does not exist in Tiki: Create the user
    • Uncheck Create user if not in LDAP 
    • Check Use Tiki authentication for Admin login 
  • LDAP Bind settings
    • Host: ldap://<my-ldap-server-address>
    • Port: 389
    • Write LDAP debug Information in Tiki Logs: <checked>
    • LDAP Bind Type: Active Directory (username@domain)
    • Search scope: Subtree
    • LDAP version: 3
    • Base DN: DC=MYDOMAIN,DC=COM
  • LDAP User
    • User DN: OU=All Users (If you want to pull users from a specific OU, if not, leave blank, also remember to omit the Base DN part)
    • User attribute: sAMAccountName
    • User OC: person
    • Realname attribute: displayName
    • Country attribute: <leave blank>
    • Email attribute: userPrincipalName
  •  LDAP Admin 
    • Admin user: admin@mydomain.com (in the form of <username>@<base domain name>)
    • Admin password: <thepassword>

4. In LDAP external groups tab, setup as following:

  • LDAP external groups

    • Uncheck Use an external LDAP server for groups

  • LDAP Bind settings
    • Host: ldap://<my-ldap-server-address>
    • Port: 389
    • Check Write LDAP debug Information in Tiki Logs
    • Uncheck Use SSL (ldaps) (Because I don't user SSL)
    • Uncheck Use TLS  (Because I don't use TLS)
    • LDAP Bind Type: Active Directory (username@domain)
    • Search scope: Subtree
    • LDAP version: 3
    • Base DN: DC=MYDOMAIN,DC=COM
  • LDAP User
    • User DN: OU=All Users (If you want to pull users from a specific OU, if not, leave blank, also remember to omit the Base DN part)
    • User attribute: sAMAccountName
    • Corresponding user attribute in 1st directory: sAMAccountName
    • User OC: person
    • Check Synchronize Tiki groups with a directory (important)
  • LDAP Group
    • Group DN: (Set Group DN to the specific OU you wish to pull groups from, ifyou wish to use the whole directory, leave blank. Note that as far as I can tell if you specify something here it will only pull from that specific OU, not members of that OU. For example a setting of ou=IT,ou=Authorized Users will pull groups from the Authorized Users\IT organizational unit, but will not pull from the Authorized Users\IT\Admins (ou=Admins,ou=IT,ou=Authorized Users) OU. There may be something to modify this behavior, but I haven't found it. Again, a blank setting will acquire all group information.)
    • Group name attribute: sAMAccountName
    • Group description attribute: description
    • Group OC: group
    • Check Synchronize Tiki users with a directory 
  • LDAP Group Member - if group membership can be found in group attributes
    • Member attribute: member
    • Check Member is DN
  • LDAP User Group - if group membership can be found in user attributes
    • Group attribute: memberOf
    • Group attribute in group entry: cn
  • LDAP Admin
    • Admin user: admin@mydomain.com (in the form of <username>@<base domain name>)
    • Admin password: <thepassword>

5. Click Apply and enjoy

Reference:

[0] https://tiki.org/forumthread60764?topics_offset=4
[1] https://tiki.org/forumthread42893