I still don't know the answer to the questions I originally posed below, if anyone can help, I'd very much appreciate it, but one way to get around this issue (for me, at least) would be able to do an ldap subquery for group membership. I suspect this is not possible, but I have been unable to find a definitive answer. I can't get a test to work with ldapsearch.
Eg, to search for group membership of a one-deep group, you could do something like this: (member=(member={0})) and then to get all groups the user is in directly or one-deep, you'd do this: |(member={0})(member=(member={0})) I can't get this to work. I suspect it's illegal/unsupported, but I'm not sure. ________________________________ From: Payne, George (ghp5h) Sent: Friday, July 31, 2009 9:17 AM To: users@tomcat.apache.org Subject: JNDIRealm and roleNested I’ve discovered that there is apparently a fairly recent patch (3 mos old now) to JNDIRealm to allow searches for nested ldap groups, which sounds like a functionality I very much need to be able use my domino server’s ldap. My question, for someone wiser in the ways of tomcat releases, is how exactly I can best GET this new patch and what state it is in (alpha? Tomcat 6? Catalina.jar? ), since I do not understand the subversion system it is in. The patch, by Rainier Jung, is referenced here: http://marc.info/?l=tomcat-dev&m=124085853600925&q=raw or http://mail-archives.apache.org/mod_mbox/tomcat-dev/200904.mbox/%3c20090427185457.0ccf82388...@eris.apache.org%3e Alternately, is there a better option to convert nested ldap groups to roles (eg if Bob is in the NevadaSales Group and the NevadaSales group is nested in the NationalSales group, if Bob is logged in and I check isUserInRole(“NationalSales”), it returns true)? I very much like the RHEL yum auto-updating scheme I would have to abandon to move (I think) to tomcat 6 (they are still on a version of 5.5). Thanks for any wisdom, George Payne --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org