During installation, Public browse rights are granted on the Tomcat-Roles Organizational Unit. Tomcat first authenticates with the user-supplied username and password. If successful, it does an anonymous LDAP bind to discover if the user is authorized in the role. If there are no Public browse rights, the authorization fails.
For secure access to work, the following settings are required:
Public must be a trustee of Tomcat-Roles
On the Public trustee, the [All Attributes Rights] property must have Compare and Read rights. This must be inheritable.
On the Public trustee, the [Entry Rights] property must have Browse rights. This must also be inheritable.
If needed, you can relocate the Tomcat-Roles container so that it is available across a directory tree, or you can move it to a lower-level container.
To move the Tomcat-Roles container, move it as you do any other container, or you can re-create it as long as you maintain the correct rights. Then modify the server.xml and admin-tomcat.xml files to reflect the new location.
In sys:/tomcat/4/conf/server.xml, find the <Realm className="JNDIRealm"> tag. The tag includes an LDAP search string to match the users for authentication, and also for lookup of roles for authorization. {0} represents the user name supplied at login time. You can simply use {0} as the authentication string, requiring a fully-specified LDAP context to log in (for example, cn=admin,ou=myorg,o=mycompany), or you can specify the context of the users. This gives you a contextless login, though it requires all of the users to be in the same container. Because there is only one Tomcat-Roles container involved in the authorization process, this approach is more straightforward. Simply supply the path of the Tomcat-Roles container in the authorization search string, whether this container is tree-wide or in a container that is more specific to the individual server.
You can add additional roles to your NetWare server by simply adding additional groups with role names into the Tomcat-Roles OU. If you have existing Web applications that use role-based security, they will automatically work once you create the required role group and add members to it.