I finally figured that out. This works for me on Tikiwiki 16.2:
1. In General Preferences tab:
- Authentication method section, select Tiki and LDAP
- Uncheck Forgot password
- Uncheck Users can change their password
2. In LDAP tab, set up as following (you may need to switch the Advanced mode on to see more settings):
LDAP
- If user does not exist in Tiki: Create the user
- Uncheck Create user if not in LDAP
- Check Use Tiki authentication for Admin login
LDAP Bind settings
- Host: ldap://
- Port: 389
- Write LDAP debug Information in Tiki Logs:
- LDAP Bind Type: Active Directory (username@domain)
- Search scope: Subtree
- LDAP version: 3
- Base DN: DC=MYDOMAIN,DC=COM
LDAP User
- User DN: OU=All Users (If you want to pull users from a specific OU, if not, leave blank, also remember to omit the Base DN part)
- User attribute: sAMAccountName
- User OC: person
- Realname attribute: displayName
- Country attribute:
- Email attribute: userPrincipalName
LDAP Admin
- Admin user: admin@mydomain.com (in the form of @)
- Admin password:
3. In LDAP external groups tab, setup as following:
LDAP external groups
- Uncheck Use an external LDAP server for groups
LDAP Bind settings
- Host: ldap://
- Port: 389
- Check Write LDAP debug Information in Tiki Logs
- Uncheck Use SSL (ldaps) (Because I don't user SSL)
- Uncheck Use TLS (Because I don't use TLS)
- LDAP Bind Type: Active Directory (username@domain)
- Search scope: Subtree
- LDAP version: 3
- Base DN: DC=MYDOMAIN,DC=COM
LDAP User
- User DN: OU=All Users (If you want to pull users from a specific OU, if not, leave blank, also remember to omit the Base DN part)
- User attribute: sAMAccountName
- Corresponding user attribute in 1st directory: sAMAccountName
- User OC: person
- Check Synchronize Tiki groups with a directory (important)
LDAP Group
- Group DN: (Set Group DN to the specific OU you wish to pull groups from, ifyou wish to use the whole directory, leave blank. Note that as far as I can tell if you specify something here it will only pull from that specific OU, not members of that OU. For example a setting of ou=IT,ou=Authorized Users will pull groups from the Authorized Users\IT organizational unit, but will not pull from the Authorized Users\IT\Admins (ou=Admins,ou=IT,ou=Authorized Users) OU. There may be something to modify this behavior, but I haven't found it. Again, a blank setting will acquire all group information.)
- Group name attribute: sAMAccountName
- Group description attribute: description
- Group OC: group
- Check Synchronize Tiki users with a directory
LDAP Group Member - if group membership can be found in group attributes
- Member attribute: member
- Check Member is DN
LDAP User Group - if group membership can be found in user attributes
- Group attribute: memberOf
- Group attribute in group entry: cn
LDAP Admin
- Admin user: admin@mydomain.com (in the form of @)
- Admin password:
4. Click Apply and enjoy
From now on, whenever a user login, all the groups where she belongs will be created on Tikiwiki if they aren't there yet.
I also wrote an article here: http://www.dangtrinh.com/2017/04/ldap-authentication-with-active.html
