MediaWiki Stakeholders' Group Logo.svg This extension is maintained by a member of the MediaWiki Stakeholders' Group.
MWStake LDAPStack Icon.svg This extension is part of the LDAP Stack and requires the LDAPProvider extension to be installed first.

This extension allows to sync user groups from a LDAP resource, when a user logs into the wiki.

MediaWiki extensions manual
OOjs UI icon advanced.svg
Release status: stable
MWStake LDAPStack Icon.svg
Author(s) Cindy Cicalese, Mark A. Hershberger, Robert Vogel
Latest version 1.0.0
Compatibility policy release branches
MediaWiki 1.31+
License GNU General Public License 2.0 or later
Translate the LDAPGroups extension if it is available at translatewiki.net
Check usage and version matrix.

Extension config settingsEdit

When using them in LocalSettings.php, these variables need to be prefixed with $LDAPGroups
Name Default Description
	"mappedgroups": "MediaWiki\\Extension\\LDAPGroups\\SyncMechanism\\MappedGroups::factory",
	"allgroups": "MediaWiki\\Extension\\LDAPGroups\\SyncMechanism\\AllGroups::factory"
Allows registration of custom group sync mechanisms.

The factory callbacks must return an object of type ISyncMechanism.

Domain config settingsEdit

Name Default Description
groupsync.mechanism "mappedgroups" The key of the sync mechanism (see above) to be used. by default there are two available:
  • "mappedgroups": This re-implements the logic of Extension:LdapGroups and allows to assign local user groups based on group DNs the user belongs to in the LDAP resource..
  • "allgroups": This syncs all groups a user is assigned to in the LDAP resource based on their CN. Be aware that only groups are synced that exist in the local wiki configuration ($wgGroupPermissions). This re-implements the behaviour of Extension:LDAP Authentication.
groupsync.locally-managed [] Only used when groupsync.mechanism = allgroups. Takes an array of local user group names (not DNs!) that should not be assigned/unassigned automattically. Groups "sysop", "bureaucrat" and "bot" are implicitly locally managed.
groupsync.mapping {} Only used when groupsync.mechanism = mappedgroups. Example:
	"mathematicians": "ou=mathematicians,dc=example,dc=com",
	"scientists": "ou=scientists,dc=example,dc=com"

If you want to configure this in LocalSettings.php you can extend the configuration for LDAPProvider like in this example:

$LDAPProviderDomainConfigProvider = function() {
	$config = [
		'LDAP' => [
			'connection' => [
			'groupsync' => [
				"mechanism" => "allgroups",
				"locally-managed" => [ "local", "wiki", "group", "names" ]

Using LDAPGroups without LDAP authenticationEdit

LDAPGroups needs to have information about which LDAP domain configuration to use for a user logging in. For this it uses a table in the database (ldap_domains). When using Extension:LDAPAuthentication2 this table automatically gets the necessary data filled in.

If you use another type of authentication (e.g. Auth_remoteuser or SimpleSAMLphp) you have to find another way of feeding this table. If you are using only one LDAP domain you can e.g. add this to your LocalSettings.php (again based on the example config for LDAPProvider):

function onUserLoggedIn_AddToDomain( $domain, $user ) {
	$userDomainStore = new MediaWiki\Extension\LDAPProvider\UserDomainStore(

	$currentDomain = $userDomainStore->getDomainForUser( $user );

	if ( ! $currentDomain || $currentDomain != $domain ) {
		$userDomainStore->setDomainForUser( $user, $domain );
$wgHooks['UserLoggedIn'][] = 'onUserLoggedIn_AddToDomain';