If you want to authenticate TikiWiki agaist Microsoft Active Directory, have a look at this article.
The most interesting part in this posting is that if you are using a Windows 2003 Server, you need to patch the LDAP.php in the PEAR authentication module, as Win2k3 by default does not allow any anonymous queries against the directory.
In <tikiroot>/lib/pear/Auth/Container/LDAP.php
search for the following line in function _connect()
:
if ((@ldap_bind($this->conn_id)) == false) {
and replace it with
if ((@ldap_bind($this->conn_id,"someuser","somepassword")) == false) {
Note, that someuser is in the form of user@domain.tld
.
I also recommend to choose to authenticate your admin user against the internal database and not the LDAP (AD) container, otherwise you will lock yourself out easily.
Does the AD username need any particular privaliges?
It has to have the privilege to list the ActiveDirectory, which ordinary users have. You can verify this by checking if the user is able to resolve other domain usernames in a permission dialog somewhere in Windows.