If we use ActiveDirectory for access control, this
provides login
security, but we can't revoke access instantly (since the user can
select "Remember my login on this computer" ...or is there a way to
destroy another user's session?). We also cannot control read-only vs.
read-write access at this level, I think.
This is solved if we also use MediaWiki user rights for access
control;
but then to add a new user, you need to add them to
the NT security
group AND bestow the appropriate MediaWiki user rights. It would be
cleaner to maintain permissions in just one place. (This is my
favorite
approach at the moment, however.)
The LDAP Authentication plugin supports group restriction, and group
synchronization. You can limit logins to a few specific groups (through
group restriction), and allow read-only for some, and read-write for
others (through group synchronization).
Notice that you only need to set the groups up with the proper
permissions in MediaWiki. When a user is added into the appropriate LDAP
group, the wiki will grant permissions appropriately on successful
login.
As for the "Remember my login..." feature, I'd look at a way to disable
it if you are worried about sessions holding the group information
(which *WILL* happen). You may be able to get way with limiting the
amount of time that cookie is valid for.
V/r,
Ryan Lane