Currently the roleBase attribute must be a fxed location in the directory. A simple change would allow the role base to be specified relative to the user DN. My enhancement suggestion would change the roleBase definition as follows: roleBase - the base entry for the role search. If not specified, the search base is the top level directory context. If specified it may optionally include pattern replacements "{0}".."{n}" corrosponding to the name parts of the user's distinguished name (as returned by javax.naming.Name.get()). For example, in the <Realm> defintion in server.xml you could specify the roleBase as: roleBase="ou=Groups,{1},{0}" The majority of the code to accomplish this would be in JNDIRealm.getRoles() and could look like this: String base = null; if ( roleBaseFormat != null ) { NameParser np = context.getNameParser(""); Name name = np.parse(dn); String nameParts[] = new String[name.size()]; for ( int idx = 0 ; idx < name.size() ; idx++ ) nameParts[idx] = name.get(idx); base = roleBaseFormat.format(nameParts); } // Perform the configured search and process the results if (debug >= 3) { log(" Searching role base '" + base + "' for attribute '" + roleName + "'"); log(" With filter expression '" + filter + "'"); } NamingEnumeration results = context.search(base, filter, controls); Thank You, Art
Thanks for the suggestion. Sorry it took so long to get to. I have added this feature to 7.0.x and it will be included in 7.0.9 onwards.