Let's say that in my LDAP server I have a group called "trainers". Of all the members of that group there are a select few that are also in a group called "aces". In other words, all users that are in the group "aces" are also in "trainers" but not all "trainers" are "aces".
I have my MediaWiki set up so that you cannot create a new account and that only and all "trainers" are able to log in using LDAP Authentication. However, now I want "aces" to have SysOp privilege without the Bureaucrat manually granting each "ace" the privilege using the interface.
How do I go about doing this?