I'm new to BEA security. I would like to be able to authenticate users
on my enterprise LDAP (which I already do via an LDAP Authenticator),
but I would also like to be able to assign theses users to groups and
roles, but I don't want to manage from theses groups and roles in my
enterprise LDAP.

My plan right now is:

Custom a role mapper that would create a local user (the first time)
in BEA's embedded LDAP so that my enterprise LDAP authenticates the
users. Then I have subjects with the same user attribute than my LDAP,
but with local groups and roles assignement local to BEA.

Is this possible? Any simpler plan??

Thanks guys!