Ralph Soika

First the god news : it works !

The main information how to setup an LDAP Realm for your WebApplication on Glassfish is from Krishnan Viswanath's Blog

For a basic configuration it is necessary that your Domino LDAP Schema supports the attribute "uid" which mapps to the shortName. I think in all current Domino releases since 6.0 this attriubte is supported per default in the LDAP Schema. You can check this with a ldap browser

So to configure an LDAP Realm in Glassfisch using a Domino LDAP Server set the Directory param to your domino server:

Directory: ldap://www.imixs.com:389

Next set the Base DN to your Organisation Unit

Base DN: O=MYCOMPANY  

 Now the authentication works ! - But... there is a problem. You can not authenticate against Groups - which is realy necessary in a JEE App.

The reason is that domino organizes groups in the root of the ldap tree. And glassfisch configuration allows not to configure an empty Base DN or group-base-dn.

So the solution I used was to name all my Access Groups for Glassfisch : GroupName/GROUP/MYCOMPANY. So the BaseDN for Groups become "OU=GROUP,O=MYCOMPANY"

So finaly I added only this two additional parameters in my LDAP Realm Configuration:

group-base-dn: OU=GROUP,O=MYCOMPANY

group-search-filter: member=%d 

The last parameter "group-search-filter" is also very significant as per default the member entries are expected in uniquemember but in Domino the corresponding field is "member". And don't forget the "%d" which takes me a long time....