Hi there,
Here is my structure for users in my ldap server:

o=mycompany
|_
ou=AD
|_
cn=user1
|_
cn=user2
|_
ou=IT
|_
cn=user1
|_
cn=user2
|_
etc.....

Notice that the ou is the same as the iso country name codes (i.e. AD=Andorra, IT=Italy). When using tomcat, this realm works

for me:



As you can see, I can do a user search for this user across numerous ou's (i.e. userSearch="(cn={0})"). However, I do not know how to do the equivalent in jboss. Here's is my configuration so far in jboss, login-config.xml:

<application-policy name="jmx-console">

<login-module code="org.jboss.security.auth.spi.LdapLoginModule" flag="required">
<module-option name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option>
<module-option

name="java.naming.provider.url">ldap://ldap.server.dns.name:ldap.server.dns.portNumber</module-option>
<module-option name="java.naming.security.authentication">simple</module-option>
<module-option name="principalDNPrefix">cn=</module-option>
<module-option name="principalDNSuffix">,ou=AD,o=mycompany</module-option>
<module-option name="matchOnUserDN">true</module-option>
<!-- Don't have to worry about roles yet! -->
<!--module-option name="rolesCtxDN">doLater</module-option>
<module-option name="uidAttributeID">member</module-option>
<module-option name="roleAttributeID">cn</module-option>
<module-option name="hashAlgorithm">MD5</module-option-->
</login-module>

</application-policy>

This works fine if the user is in the ou of AD, but not for users in the ou of IT :(. Does anyone know if I can do the above? Is my user schema supported by LdapLoginModule or will I have to write my own variation? If the former, how can I configure login-config.xml to do the same as I'm doing for tomcat?

Any help/pointers appreciated, am sure I'm not the only one that has users spread across numerous ou's, not just one ou.
Best,
Conor