As it stands, everyone user in my LDAP schema that falls under the following dn: is authorized to login,
ou=staff,dc=domain,dc=com
Now where the complexity comes in, is I need to add a contractor to my directory. This contractor should only have access to mediawiki and nothing else which LDAP authorizes users to access such as UNIX logins or other web applications. I do know I can use $wgLDAPUseLocal to allow local logins, but I'd like to avoid keeping authorization local to the wiki.
Add the user to LDAP, but don't add the posixAccount and/or shadowAccount objectclasses; or, add the user to another OU (something no other services use), and make another domain for the LDAP plugin, pointing to this other OU.