Loading...
 
LDAP / Active directory

LDAP / Active directory

Forum List Topic List

Forums » LDAP / Active directory » Mapping ADS Groups to Tikiwiki Groups
 
Thread actions
PDF Print this page
  • Print all pages

    • Mapping ADS Groups to Tikiwiki Groups

    Posted by Yirm

    Okay, so thanks to the work done on 1.10, I've got ADS authentication working. Awesome!

    Now, I'm wondering if groups can be generated by ADS as well, or if at least there is a way to map ADS groups' users to Tikiwiki groups.

    I'm also running OpenFire XMPP server, and it seems to have a different approach to ADS authentication. When you're setting it up, it asks you to map ADS fields to its internal fields. All the objects are created at once. But in Tikiwiki, it *appears* that user objects are only created when they first log in.

    Also, what happens when a user is removed from ADS? I'm guessing it remains in Tikiwiki, but the user will not be able to log in.

    If my observations/assumptions are correct, this seems to be a lot less functional than the way OpenFire does it. I mean, wouldn't it be great if I could log in as Admin, and see all the users/groups mirroring what exists in Active Directory, and not have to do any kind of group assignment whatsoever? Or maybe this is possible and I'm missing something.

    -Jeremy

    Reads: 2446
    Link
    Posted by Greg Martin United States


    Tiki does maintain its own user database; all group membership and permissions are maintained in the Tikidb. LDAP/AD is only used for authentication. So far as I know, there has been some conversation about it, but no one has attempted to define and implement full LDAP integration. I like the idea, but its not been done.

    I assume this is because unless we mandate the use of LDAP all that code would need to be written anyway, so it seems a lot of work to maintain the code for full LDAP integration as well. Certainly Tiki would benefit from this integration, but someone will have to adopt it as a personal project for it to get done.

    \\Greg

    Link

    Posted by Yirm

    Thanks Greg. Wish I had the skills to take that on myself. But I'm lucky to have gotten this thing up and running at all.

    The authentication part is still a major victory though. It makes it much easier for the end users, which is the most important thing. Convenience for me as the admin I consider less important.

    -Jeremy

    Link
    Posted by Greg Martin United States


    I wish I had the time. I'd love to see LDAP as a fully functional user backend. Well, I've been using tiki for almost 4 years, maybe time will come!

    See you around

    \\Greg

    Link

    Posted by drsmithy

    I just wanted to confirm that the comments in this thread are accurate, and that Tiki Wiki as of 2.2 cannot make use of AD group information (in particular, group membership).

    Is that correct ?

    Link
    Posted by Greg Martin United States


    Correct. At this time, LDAP and/or AD are only used for authentication. If we find a developer who can extend LDAP integration, this would be an excellent feature.

    \\Greg

    Link