How to use AD groups and users
Okay, this took me quite a bit of fiddling with to get right. First, screenshots that you should be able to use readily if you're comfortable with LDAP, AD and the Tiki admin menus.
https://j10-wiki-v01/tiki-admin.php?page=login
Now, here's what we have done:
- Navigate to Admin > Admin Home > Login > General Preferences
- Set Authentication Method to Tiki and LDAP
- Uncheck Users Can Register
- Check Synchronize Tiki groups with a directory
- Uncheck Forgot Password
- Uncheck Users can change their password
- Change Preferences
- Navigate to Admin > Admin Home > Login > LDAP
- Set If user does not exist in Tiki to Create the user
- Uncheck Create user if not in LDAP
- Check Use Tiki authentication for Admin login
- Set Host to the URL of your domain controller such as ldap://dc.mydomain.com, omit the port number.
- Set Port to the appropriate listener for your DC, 389 by default for non-secure.
- Check Use SSL if appropriate
- Check Use TLS if you're not using SSL, strongly suggested for security, but not required.
- Set LDAP bind Type to Active Directory (username@domain)
- Set Search Scope to Subtree
- Set LDAP Version to 3
- Set Base DN to something appropriate for your domain, to follow the example above dc=mydomain,dc=com
- Set User DN to the top level you want to find users from. If you want to be able to authenticate all users in your directory leave it blank. If you want users from a specific OU only enter the information in DN form excluding the Base DN string. For example, to query the Authorized Users\IT OU: ou=IT,ou=Authorized Users (For demonstration, the full DN to this would actually be ou=IT,ou=Authorized Users,dc=mydomain,dc=com, but we have the Base DN string entered already elsewhere)
- Set User attribute to sAMAccountName
- Set User OC to person
- Set Realname attribute to displayName
- Set E-mail attribute to userPrincipalName
- Enter credentials for an existing service account. This is for searches only, so does not have to have admin access for any reason I can fathom, please create a secure service account. Use internet-style login, so username@mydomain.com (Note: I did not bother to test whether this is required both here and in the next tab, try one or the other if you want, but I have it set in both.)
- Change Preferences
- Navigate to Admin > Admin Home > Login > LDAP external groups
- Uncheck Use an external LDAP server for groups
- Set Host to the URL for your AD server such as ldap://dc.mydomain.com
- Set Port to the appropriate listener port such as 389 by default.
- Check Use SSL or Use TLS as appropriate.
- Set LDAP Bind Type to Active Directory (username@domain)
- Set Search Scope to Subtree
- Set LDAP version to 3
- Set Base DN to match your domain, for mydomain.com it would be dc=mydomain,dc=com
- Set User DN to the top level you wish to pull user information from, see above for example.
- Set User attribute to sAMAccountName
- Set Corresponding user attribute in 1st directory to sAMAccountName
- Set User OC to person
- Set Group DN to the specific OU you wish to pull groups from, ifyou wish to use the whole directory, leave blank. Note that as far as I can tell if you specify something here it will only pull from that specific OU, not members of that OU. For example a setting of ou=IT,ou=Authorized Users will pull groups from the Authorized Users\IT organizational unit, but will not pull from the Authorized Users\IT\Admins (ou=Admins,ou=IT,ou=Authorized Users) OU. There may be something to modify this behavior, but I haven't found it. Again, a blank setting will acquire all group information.
- Set Group name attribute to sAMAccountName
- Set group description attribute to description
- Set Group OC to group
- Set Member attribute to member
- Check Member is DN
- Set Group attribute to memberOf
- Set Group attribute in group entry to cn
- Set Admin user and password to a pre-configured service account. This account does not need admin rights to perform searches, use the internet-style logon such as user@mydomain.com
- Change preferences
- Try to login with a domain account.
From here I'm hoping you can piece together the rest of what to do. This was a pretty trying process for me and I only returned here because I remembered seeing many questions about how to make this happen and not seeing any answers. Hopefully this will increase utilization of Tiki and thus increase the amount of support these forums get from other users.
Good luck!