LDAP authentication (and groups mapping) with Active Directory that works in Tiki Wiki 16.2

To make the LDAP authentication with MS Active  Directory works in Tiki Wiki 16.2, I have to do the set up both in LDAP and LDAP external groups tabs.

1. In Settings > Control Panels > Log in

2. In General Preferences tab:

• Authentication method section, select Tiki and LDAP 
• Uncheck Forgot password
• Uncheck Users can change their password   
• click Apply

3. In LDAP tab, set up as following (you may need to switch the Advanced mode on to see more settings):

• LDAP
• If user does not exist in Tiki: Create the user
• Uncheck Create user if not in LDAP 
• Check Use Tiki authentication for Admin login 
• LDAP Bind settings
• Host: ldap://<my-ldap-server-address>
• Port: 389
• Write LDAP debug Information in Tiki Logs: <checked>
• LDAP Bind Type: Active Directory (username@domain)
• Search scope: Subtree
• LDAP version: 3
• Base DN: DC=MYDOMAIN,DC=COM

• LDAP User
• User DN: OU=All Users (If you want to pull users from a specific OU, if not, leave blank, also remember to omit the Base DN part)
• User attribute: sAMAccountName
• User OC: person
• Realname attribute: displayName
• Country attribute: <leave blank>
• Email attribute: userPrincipalName

•  LDAP Admin 
• Admin user: admin@mydomain.com (in the form of <username>@<base domain name>)
• Admin password: <thepassword>

4. In LDAP external groups tab, setup as following:

• LDAP external groups

• Uncheck Use an external LDAP server for groups

• LDAP Bind settings
• Host: ldap://<my-ldap-server-address>
• Port: 389
• Check Write LDAP debug Information in Tiki Logs
• Uncheck Use SSL (ldaps) (Because I don't user SSL)
• Uncheck Use TLS  (Because I don't use TLS)
• LDAP Bind Type: Active Directory (username@domain)
• Search scope: Subtree
• LDAP version: 3
• Base DN: DC=MYDOMAIN,DC=COM

• LDAP User
• User DN: OU=All Users (If you want to pull users from a specific OU, if not, leave blank, also remember to omit the Base DN part)
• User attribute: sAMAccountName
• Corresponding user attribute in 1st directory: sAMAccountName
• User OC: person
• Check Synchronize Tiki groups with a directory (important)

• LDAP Group
• Group DN: (Set Group DN to the specific OU you wish to pull groups from, ifyou wish to use the whole directory, leave blank. Note that as far as I can tell if you specify something here it will only pull from that specific OU, not members of that OU. For example a setting of ou=IT,ou=Authorized Users will pull groups from the Authorized Users\IT organizational unit, but will not pull from the Authorized Users\IT\Admins (ou=Admins,ou=IT,ou=Authorized Users) OU. There may be something to modify this behavior, but I haven't found it. Again, a blank setting will acquire all group information.)
• Group name attribute: sAMAccountName
• Group description attribute: description
• Group OC: group
• Check Synchronize Tiki users with a directory 

• LDAP Group Member - if group membership can be found in group attributes
• Member attribute: member
• Check Member is DN
• LDAP User Group - if group membership can be found in user attributes
• Group attribute: memberOf
• Group attribute in group entry: cn

• LDAP Admin
• Admin user: admin@mydomain.com (in the form of <username>@<base domain name>)
• Admin password: <thepassword>

5. Click Apply and enjoy

Reference:

[0] https://tiki.org/forumthread60764?topics_offset=4
[1] https://tiki.org/forumthread42893