将LDAP用户映射到Liferay本地组

Question

I have setup LDAP authentication with liferay in my application. I have kept LDAP enabled and required as true. This way only users with LDAP account would be able to login to portal.

ldap.auth.enabled=true
ldap.auth.required=true 

Now I have requirement to create a local liferay group having certain users from LDAP (belonging to my team). After LDAP authentication, this group would be checked if the user logging in is part of this group then only authentication would be allowed.

So basically I need two groups:

1. Team group (containing subset of LDAP)
2. Admin group (Subset of team and will be able to add/remove from team group)

I need help on achieving this. The issue is, as my LDAP account do not have admin rights once I login to liferay, I do not see any administration options, and won't be able to create group.

Is there anyway I can map some of the LDAP accounts to admin accounts and how do I achieve this in production without doing required flag as false?

Thanks in advance!

Answer 1

If I understand your question well, you need to only grant some of your LDAP user login permission. There are several ways to achieve that :

1. Filter the users you synch with Liferay, by their DN, or by their LDAP group
2. Add a custom LoginPreAction event to deny login to certain users

To give users admin role, you can add your custom LoginPostAction , and give them the Administrator role if they meat the criterias