Thread:Extension talk:LDAP Authentication/Controlling edit rights by AD group?

We use LDAPauthentication successfully to limit logins to members of certain AD groups, using $wgLDAPRequiredGroups. Now we want to change things: let all AD users log into the wiki, but limit edit rights to those certain AD groups. How can this be accomplished with LDAPauthentication?

I'm guessing that we need to set $wgLDAPUseLDAPGroups to synchronize MW and AD groups, which will somehow mirror those AD groups as MW groups, and then set in LocalSettings.php:

$wgGroupPermissions['*']['edit'] = false; $wgGroupPermissions['AD group name 1']['edit'] = true; $wgGroupPermissions['AD group name 2']['edit'] = true; // ...etc...

However, I am limited in my understanding of LDAPauthentication group synchronization. Does it actually create wiki groups that mirror the AD groups? Should these AD groups now show up in Special:UserRights? (I never see them there.) How can one see that group synchronization is actually working: what is the visible effect?

Here is our current LDAPauthentication config that restricts logins:

$wgLDAPDomainNames = array( 'ourdomain' ); $wgLDAPServerNames = array( 'ourdomain' => 'server1.domain server2.domain' ); $wgLDAPSearchStrings = array( 'ourdomain' => sprintf("%s\\USER-NAME", 'ourdomain') ); $wgLDAPLowerCaseUsername = array( 'ourdomain' => true ); $wgLDAPUseLocal = false; $wgLDAPEncryptionType = array( 'ourdomain' => "ssl" ); $wgLDAPRequiredGroups = array( 'ourdomain' => $groupArrayInTheAppropriateFormat ); $wgLDAPBaseDNs = array( 'ourdomain' => "dc=example,dc=net" ); $wgLDAPSearchAttributes = array( 'ourdomain' => "sAMAccountName" ); $wgLDAPGroupUseFullDN = array( 'ourdomain' => true ); $wgLDAPGroupObjectclass = array( 'ourdomain' => "group" ); $wgLDAPGroupAttribute = array( 'ourdomain' => "member" ); $wgLDAPGroupNameAttribute = array( 'ourdomain' => "cn" ); $wgLDAPUseLDAPGroups = array( 'ourdomain' => true ); $wgLDAPAutoAuthUsername  = preg_replace( '/@.*/', '', $_SERVER["REMOTE_USER"] ); $wgLDAPAutoAuthDomain    = 'ourdomain'; $wgLDAPProxyAgent        = array('ourdomain' => 'CN=blah blah blah' ); $wgLDAPProxyAgentPassword = array('ourdomain' => 'password here' ); $wgLDAPSearchStrings     = null;

Thank you very much for any insights.