LDAP / Active directory

LDAP / Active directory

Tiki Groups read from LDAP Groups

Hi everyone,

I'm sorry if I start another topic about the same question. I know TikiWiki uses LDAP just for authentication purposes (that's what I've read in other topics) so I can't really use LDAP Groups setup for anything.

But I need to be sure of what can't be done before I lose my time looking for alternatives, so this is my problem:

- I need LDAP Users just for authenticate Tiki users (that can be done, good).
- I need LDAP Groups to be listed as Tiki groups, just read them and their members, nothing more.

Is it really something Tiki can't do?

Thank you.

United States

LDAP for authentication works fine. LDAP groups have not been implemented. (Unless it has changed in 3.0 but I don't think so).


Trank you Greg.

So I have to look for alternatives... I've read the whole changelog and found nothing. It's a shame.

I'll try to fix it by myself first.

Thank you again.


How would you envision this working?

- Would TW use Tiki groups AND LDAP groups, or just be fully based on the LDAP groups?
- Would group belonging be updated on user login (meaning that synchronization is not immediate after groups or group belonging are altered on the LDAP)?
- Other ideas?

TW currently collects LDAP group information, I'm just not sure if it does anything with it (as per Greg's reply, I suppose not). I don't see this as complex, particularly if what you want is to rely on the LDAP groups alone.


Hi Paulo,

- LDAP Groups at least. It would also be good if you could add special Tiki groups you may need without changing LDAP, so you can control access for anonymous people for example. So the database should remain used.
- That level of synchronization should be enough for me. It would be a waste of time to keep TW asking LDAP for any changes.

Since I just need to read LDAP groups and apply access control to every (LDAP and Tiki) group, it isn't really complex. It would take me much more time to understand the code than to make the changes, so I'm going to wait a little longer and look for another release.


I dived into the code. TW currently does not collect group information. PEAR Auth LDAP can only check during authentication weather a user is also member of a group and authentication fails if the user is not part of the group.

So one could modify Auth LDAP to collect group information or on the other side use PEAR LDAP2 to do both - the authentication and collection of group information.

I think ldap user groups should be synced on every login. There is no need to add tw groups to ldap users if we could add ldap groups to tiki groups. Probably a switch to add ldap groups to a default group like "registered" at first sync is useful.