In our central LDAP server, a lot of applications are grouped like this:
We do not define the roles as being unique in the whole tree to make it easier
for the LDAP administrators to handle them. The Users are mapped to the
application roles either directly or through an organisation group (analog
application, but for organisational purposes).
The problem I have is that GlassFish V2 doesn't allow the field definition of
the group to be the DN (which is the only thing different between app1/role1 and
app2/role1) and I can only input the cn (which in this case would be wrong,
giving users permissions they should not have). I think the problem is because
DN is not something you can get as a field from the ldap protocol but is a
special method call.