This article is a legacy article. It applies to previous versions of the Liferay product. While the article is no longer maintained, the information may still be applicable.
In older versions of Liferay Portal (e.g. 5.1.x, 5.2 EE SP3), by default, Liferay will import all user groups a user is associated with regardless of whether the user group is part of the user's specified LDAP BaseDN or not.
Beginning with Liferay Portal 5.2 EE SP4, Liferay implemented a portal property—ldap.import.group.search.filter.enabled=—that will search whether the user group is part of the BaseDN. If this property is set to true, the import process will exclude user groups not part of the BaseDN and apply a filter specified in the property—ldap.import.group.search.filter=. If set to false, the import process will import all user groups that a user is associated with.
Resolution
All above versions contain this property set to true by default.
- Users are strongly encouraged to make all changes in their portal-ext.properties instead of portal.properties.
- Add the following to portal-ext.properties file
If set to true, the group filter will be applied, but only to groups in
# the specified base DN. If set to false, the filter will not be applied and
# all groups that are associated with the imported users will be imported
# regardless of the base DN.
#
ldap.import.group.search.filter.enabled=true