Hello, I am having problems getting tomcat 4.1.10 (and previous versions) to correctly use the JNDI realm with microsoft ADS. Tomcat will logon the user but does not find any roles so permission to access the web pages is denied.
Here is the section from the web.xml file. <Realm className="org.apache.catalina.realm.JNDIRealm" debug="3" connectionURL="ldap://mainserv:389" roleBase="ou=webgroups,dc=DEV2000" roleName="CN" roleSearch="(member={0})" userPattern="cn={0},cn=Users,dc=DEV2000"/> I am authenticating as the user because ADS does not return passwords. Entering a directly in a third party tool works correctly. I have developed my own code to read users from ADS that works with the above settings. I have compared my code with tomcat source and can not see any major differences. The debug shows that tomcat is making the correct queries. 2002-09-09 13:58:56 JNDIRealm[Standalone]: dn=cn=user1,cn=Users,dc=DEV2000 2002-09-09 13:58:56 JNDIRealm[Standalone]: validating credentials by binding as the user 2002-09-09 13:58:56 JNDIRealm[Standalone]: binding as cn=user1,cn=Users,dc=DEV2000 2002-09-09 13:58:56 JNDIRealm[Standalone]: Username user1 successfully authenticated 2002-09-09 13:58:56 JNDIRealm[Standalone]: getRoles(cn=user1,cn=Users,dc=DEV2000) 2002-09-09 13:58:56 JNDIRealm[Standalone]: Searching role base 'ou=webgroups,dc=DEV2000' for attribute 'CN' 2002-09-09 13:58:56 JNDIRealm[Standalone]: With filter expression '(member=cn=user1,cn=Users,dc=DEV2000)' 2002-09-09 13:58:56 JNDIRealm[Standalone]: Returning 0 roles 2002-09-09 13:58:56 JNDIRealm[Standalone]: Username user1 does NOT have role WebUsers Any help would be greatfully recieved. I have to make this work so my only option left is to start modifying tomcat with additional debug information to try and work out why it is not working. Thanks Richard Pearson Richard Pearson Software Engineer Kingston inbusiness Nashleigh Court 188 Severalls Ave Chesham Bucks HP5 3EN [EMAIL PROTECTED] Tel: 01494 606060 Fax: 01494 601601 -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>