Hi Chris, Thanks for the mail. The only thing that changed in my server.xml was the order, and changed the roleSearch from:
roleSearch="(uniqueMember={0}) To roleSearch="(member={0}) Apart from that, I'm a little confused why it works - but it does.... If a user had 3 roles (group1, group2, group3) - (is a member of 3 Windows domain groups) - then I was getting back CN=CN=group1,CN=xxxx,DC=yyy,DC=zzzz CN=CN=group2,CN=xxxx,DC=yyy,DC=zzzz CN=CN=group3,CN=xxxx,DC=yyy,DC=zzzz group1 group2 group3 So moved onto my next problem, which is why when securing the URL via HTTPS, everything works great , but IE can no longer 'find' the Java Web Start application..... And it worked on same port with HTTP. Sigh. Looking into it. Rupert. -----Original Message----- From: Christopher Schultz [mailto:[EMAIL PROTECTED] Sent: 09 April 2008 14:16 To: Tomcat Users List Subject: Re: Apache Tomcat role authorisation against AD2003 This message should be regarded as confidential. If you have received this email in error please notify the sender and destroy it immediately. Statements of intent shall only become binding when confirmed in hard copy by an authorised signatory. The contents of this email may relate to dealings with other companies within the Detica Group plc group of companies. Detica Limited is registered in England under No: 1337451. Registered offices: Surrey Research Park, Guildford, Surrey, GU2 7YP, England. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Rupert, Rupert Whitefield wrote: | Thanks for the response. I think you are correct on the role | definition (could not find a way of escaping or wildcarding the role | which struts | 1.1 suggests is possible) - so have worked a little more on the AD | realm settings in Tomcat. By trail and error I have found the below to work: Your new configuration looks the same as your original configuration to me. What changed? | This seems to return both the cn and DN, i.e. really twice as much | role data as I need - but at least it works..... When you say it "returns both", what do you mean? If a user has 3 roles, for how many different values will request.isUserInRole(value) return true? - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkf8wawACgkQ9CaO5/Lv0PD5eACdEuglj6wGsWsvrTPnUmco8lpG EvgAn1oR4vz/BGrcthNy1G75oS/4c2Ur =AA/t -----END PGP SIGNATURE----- --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] This message should be regarded as confidential. If you have received this email in error please notify the sender and destroy it immediately. Statements of intent shall only become binding when confirmed in hard copy by an authorised signatory. The contents of this email may relate to dealings with other companies within the Detica Group plc group of companies. Detica Limited is registered in England under No: 1337451. Registered offices: Surrey Research Park, Guildford, Surrey, GU2 7YP, England. --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]