I am working on MediaWiki-extensions-LDAPAuthorization . The goal is to re-implement functionality that formerly was available through "LdapAuthentication" (by Ryan Lane). One of the features is a group based authorization mechanism during the implicit authentication. For the new "LDAP Stack" I'd like to use "Auth_remoteuser" for the implicit authentication. Unfortunately I need a way to check for the users authorization too. And in case the user is not authorized, I need to stop the implicit login. This hook point should only be called once per user session, as authorization logic will do some requests to a remote resource.
I've already implemented a little patch for this . But I'd like to hear your opinion and advice.