-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Rupert,
Rupert Whitefield wrote: |> Roles (users windows domain groups) are being returned, however the |> issue is that AD is returning the DN, and not the 'cn'. Have tried |> various values in the roleName field - but these have no effect. Are CNs unique? I would be concerned that cn=admin,dc=admins would be confused with cn=admin,dc=h4x0r5, if someone got ahold of your AD server. |> I can change the <role-name> definitions in the web.xml files to match |> what is being returned - but this isn't ideal, and I still have issues |> with the ',' in the role when using struts..... Hmm... role-name elements in web.xml must be NMTOKENs, which means: NameChar ::= Letter | Digit | '.' | '-' | '_' | CombiningChar | Extender Nmtoken ::= (NameChar)+ (Where 'Letter' and 'Digit' are obvious) 'Extender' includes the '.' character and a bunch of higher-order UNICODE characters. 'CombiningChar' also includes higher-order UNICODE characters. I didn't bother looking any of them up, but you can use this page for reference: http://www.w3.org/TR/1998/REC-xml-19980210 Perhaps commas are not legal in the role-name in the first place. That could be a problem :( - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkf7grUACgkQ9CaO5/Lv0PDcLgCeKw9vFRml1kVxTe0M79uGX+4L DMkAoI5TRYT8xlZKYjqSqcCJUuGVzG2a =13Yo -----END PGP SIGNATURE----- --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]