Hi again andi,
I have not worked on the php side since last, but have tested some different configuration options, and have found a combination that works with the SSO lines added to authldap. Let me first show the issues I had, and what authldap debug + do=check shows me:
local.protected.php
$conf['authtype'] = 'authldap';
$conf['superuser'] = '@slowadmin';
$conf['rememberme'] = 0;
$conf['disableactions'] = 'register,resendpwd';
$conf['plugin']['authldap']['server'] = 'ldap://f21s.slow.motion:389';
$conf['plugin']['authldap']['usertree'] = 'cn=users,cn=accounts,dc=slow,dc=motion';
$conf['plugin']['authldap']['grouptree'] = 'cn=groups,cn=accounts,dc=slow,dc=motion';
$conf['plugin']['authldap']['userfilter'] = '(&(uid=%{user})(objectClass=posixAccount))';
$conf['plugin']['authldap']['groupfilter'] = '(&(member=%{dn})(objectClass=posixGroup))';
$conf['plugin']['authldap']['version'] = 3;
$conf['plugin']['authldap']['sso'] = 0;
$conf['plugin']['authldap']['debug'] = 1;
With SSO disabled and manual login
LDAP user search: Success [auth.php:225]
LDAP search at: cn=users,cn=accounts,dc=slow,dc=motion (&(uid=san)(objectClass=posixAccount)) [auth.php:226]
LDAP group search: Success [auth.php:270]
LDAP search at: cn=groups,cn=accounts,dc=slow,dc=motion (&(member=uid=san,cn=users,cn=accounts,dc=slow,dc=motion)(objectClass=posixGroup)) [auth.php:271
LDAP usergroup: wiki-admins [auth.php:290]
LDAP usergroup: slowadmin [auth.php:290]
You are part of the groups wiki-admins, slowadmin, user
The group 'slowadmin' is a member of the group 'slowmotion' (the dokuwiki user-group is 'slowmotion'), but this group is only visible in the bottom of the page, where authldap debug is also shown:
LDAP usergroup: slowmotion [auth.php:290]
With SSO enabled
LDAP user search: Success [auth.php:225]
LDAP search at: cn=users,cn=accounts,dc=slow,dc=motion (&(uid=san)(objectClass=posixAccount)) [auth.php:226]
LDAP group search: Success [auth.php:270]
LDAP search at: cn=groups,cn=accounts,dc=slow,dc=motion (&(member=uid=san,cn=users,cn=accounts,dc=slow,dc=motion)(objectClass=posixGroup)) [auth.php:271
You are part of the groups user
Somehow the ['grouptree'] and ['groupfilter'] options are ignored when SSO is on, and I'm not sure why.
I managed to get SSO and groups working with these config settings:
$conf['authtype'] = 'authldap';
$conf['superuser'] = '@slowadmin';
$conf['rememberme'] = 0;
$conf['disableactions'] = 'register,resendpwd';
$conf['plugin']['authldap']['server'] = 'ldap://f21s.slow.motion:389';
$conf['plugin']['authldap']['usertree'] = 'cn=users,cn=accounts,dc=slow,dc=motion';
$conf['plugin']['authldap']['userfilter'] = '(&(uid=%{user})(objectClass=posixAccount))';
$conf['plugin']['authldap']['version'] = 3;
$conf['plugin']['authldap']['sso'] = 1;
$conf['plugin']['authldap']['debug'] = 1;
$conf['plugin']['authldap']['mapping']['grps'] = array('memberof' => '/cn=(.+?),cn=groups/');
I'm not sure if this is "good enough" for you, as it doesn't use grouptree/groupfilter and for our case geared for FreeIPA. I know you wanted a github pull request, but I'm attaching a diff here so you can see it is pretty minimal in this current state.
Thanks for your attention!