We have a portal hosted at our side on Liferay and a Active Directory is in sync through LDAP with Liferay. The problem which we are facing is that when the user gets deleted from the AD it neither gets deactivated nor deleted from Liferay. I want the user to be deactivated not deleted from Liferay when deleted from the AD.
Although Liferay strongly discourages to deactivate/delete the user when the user is deleted from the AD as there may be dependencies on other user, sites or organisations or unexpected behavior which may be caused.
I checked all the required fields which are necessary for AD synchronization with Liferay. I am unable to upload the screenshot due to less reputation.
How can I achieve the aforementioned requirement?
Please suggest the possible ways.
Thank you
In order to customize such default behavior of Liferay, you need to create a plugin ext by extending PortalLDAPImporterImpl.java.
The following link will help you - http://www.liferay.com/community/forums/-/message_boards/message/10755176
When you interface with LDAP you shouldn't rely on Liferay to tell you if a user is deactivated or not - e.g. just look up the existance of a user in LDAP to determine if an account is valid.
My advice is to require LDAP for those users and not save their password in Liferay's database - thus, no matter if the user is activated or deactivated, they can't log in to Liferay because Liferay would authenticate them with LDAP (which would fail)
If this is - for some reason - really mandatory you can either deactivate them on a subsequent try for login or bulk import/validate all users against LDAP from time to time.
And yet another possibility is depending on the way you maintain your LDAP database - you could also use Liferay's API from your LDAP maintenance software to deactivate users when deleted from AD.
But the key is: Deleted LDAP users should not be able to log in to Liferay - when they log in Liferay would import all of their data, which doesn't work. And when Liferay can't validate their passwords, they couldn't log in without LDAP, thus you shouldn't be facing any actual problem