...
Since you only need to keep the user data in a single LDAP , you can to avoid this duplication. However, this is not straightforward as you need to write the complete persistence layer. Let's take a step back and see how Authentication and Authorization work in Liferay.
...
The first type is done by assigning portlet management permissions to a given Liferay role and assigning members (groups/users) to that role from the underlying LDAP. We did not want to do that as that has more to do with the portal administration side and as a result, much more specific to Liferay. However, the second model directly deals with the business functions. It was decided that this is a better option and it is used in a finnfine-grained manner.
Even the second model can be done with Liferay's roles and permission. Whenever you want to render something in the portlet that requires some restricted audience, before rendering that you need to call req.isUserInRole("roleNme"). This is compliant with the JSR too. The following are the disadvantages:
...