Anyone have any insight into easing onboarding of users to UMP in bulk or automagically?
Any attempts to assign AD LDAP security group to UMP user group? Essentially seeking a method to eliminate the need to have new users authenticate one-time to UMP then UMP administrators map a new user to site. Other known caveats are users which belong to multiple LDAP groups that would exist with separate sites.
Currently UIM does not support having the same user belong to multiple LDAP security groups that are mapped to ACL.
UIM does not have an order of precedence when it comes to login so if a user belongs to multiple LDAP groups which ever one is returned by LDAP first will be used. Because there is no guaranty the order will be the same each time client would face unexpected results.
As to on boarding most MSP I know will setup the user and login once to create the liferay account and attach it to the site then send the user name an password to the client and request that they change their password on the first login.
hope this helps
Thanks Gene - We are fully aware of the multiple LDAP objects including the inability to handle nested groups. Have inquired numerous times with product management about such features and numerous community ideas on the topic.
Here is the scenario from support case. It is suggested dropping all Liferay tables to fix "site template" propagation issue which root cause could not be determined. As result, this means having to recreate sites (intent is to export/import) but then have to associate users to each site. Does not look good to be going back to organizational resources to perform first time authentication just to configure users. Desired authentication method is AD LDAP not local as result of the excessive overhead involved in managing local user for infrastructure teams which can change resources.
Another method thought of was to create another AD group dedicated to each UMP site to avoid the ACL conflict. Can sync group memberships behind the scenes for UIM security group. Then would look to associate UMP group to Liferay group which would be associated to the site. Has anyone tried this?
Non-CA content on this topic from other forums.
RE: Liferay API question Get UserGroup members - Community Forums | Liferay
We faced the same hurdles and lack of scalability when it came to this part (having to login as per-requisites). Not only is this a management headache but our end users like to complain about it too unfortunately.
It is not very elastic to have such a scalable product and then be bottle necked like this. Regardless, I think an in-direct approach as mentioned (relating sites to AD) groups maybe more efficient in managing this. Additionally, it maybe be prudent (depending on environment layout and policy) to setup one Account per team/site. You can always extend the amount of users able to log on per account.
I am reaching out to a broader audience to see if anyone has a positive answer for you.
Hi Tom, I checked in with some of our accomplished Field representatives, and none have an idea on how to accomplish that which you are asking.