Glassfish 3.1 ldapRealm ActiveDirectory group membership

Question

I'm trying to implement ldapRealm on Glassfish 3.1. I can login fine with the following configuration, however I haven't been able to get AD's group membership correctly. I followed group memberships in (AD) ldap Realm to include group-search-filter but still not working.
Here's my web.xml :

<auth-realm name="ADREALM" classname="com.sun.enterprise.security.auth.realm.ldap.LDAPRealm">
    <property name="directory" value="ldap://domain.com:389"></property>
    <property name="search-filter" value="(&amp;(objectCategory=user)(sAMAccountName=%s))"></property>
    <property name="search-bind-dn" value="admin@domain.com"></property>
    <property description="null" name="base-dn" value="OU=CORP Users,DC=domain,DC=com"></property>
    <property name="group-search-filter" value="(&amp;(objectCategory=group)(member=%d))"></property>
    <property name="search-bind-password" value="password"></property>
    <property name="jaas-context" value="ldapRealm"></property>
</auth-realm>

I also add the following option to server-config > JVM

-Djava.naming.referral=follow  

Glassfish's log entry :

FINE: [Web-Security] hasUserDataPermission perm: (javax.security.jacc.WebUserDataPermission /j_security_check POST)
FINE: [Web-Security] hasUserDataPermission isGranted: true
FINEST: Processing login with credentials of type: class com.sun.enterprise.security.auth.login.common.PasswordCredential
FINE: Logging in user [kip] into realm: ADREALM using JAAS module: ldapRealm
FINE: Login module initialized: class com.sun.enterprise.security.auth.login.LDAPLoginModule
FINE: search: baseDN: OU=CORP Users,DC=domain,DC=com  filter: (&(objectCategory=user)(sAMAccountName=kip))
FINE: Found user DN: CN=Kipling,OU=IT,OU=CORP Users,DC=domain,DC=com
FINE: LDAP:Group search filter: (&(objectCategory=group)(member=CN=Kipling,OU=IT,OU=CORP Users,DC=domain,DC=com))
FINE: LDAP: Group memberships found: 
FINE: LDAP: login succeeded for: kip
FINE: JAAS login complete.
FINE: JAAS authentication committed.
FINE: Password login succeeded for : kip
FINE: Set security context as user: kip  

Notice that Group memberships found is empty. Please let me know if more information is needed.

Answer 1

Over the weekend, I figured out what was wrong with my ldapRealm configuration. Since I set my base-dn to users ou branch and group information is on different ou branch, glassfish couldn't find my groups dn. (too restrictive - also mentioned by one of SO's question). In order to get group-search-filter to work, i had to add additional property to ldapRealm, which is group-base-dn for group data retrieval.

<property name="group-base-dn" value="OU=CORP Groups,DC=domain,DC=com"></property>

So, unless I set my base-dn to basic DC=domain,DC=com I have to include group-base-dn property. Here's my final ldapRealm configuration:

<auth-realm name="ADREALM" classname="com.sun.enterprise.security.auth.realm.ldap.LDAPRealm">
    <property name="directory" value="ldap://domain.com:389"></property>
    <property name="jaas-context" value="ldapRealm"></property>
    <property name="base-dn" value="OU=CORP Users,DC=domain,DC=com" description="null"></property>
    <property name="search-filter" value="(&amp;(objectCategory=user)(sAMAccountName=%s))"></property>
    <property name="group-base-dn" value="OU=CORP Groups,DC=domain,DC=com"></property>
    <property name="group-search-filter" value="(&amp;(objectCategory=group)(member=%d))"></property>
    <property name="search-bind-dn" value="admin@domain.com"></property>
    <property name="search-bind-password" value="password"></property>
</auth-realm>  

I hope this can help anybody to configure ldapRealm. Thanks!

Attached glassfish log :

FINE: search: baseDN: OU=CORP Users,DC=domain,DC=com  filter: (&(objectCategory=user)(sAMAccountName=kip))
FINE: Found user DN: CN=Kipling,OU=IT,OU=CORP Users,DC=domain,DC=com
FINE: LDAP:Group search filter: (&(objectCategory=group)(member=CN=Kipling,OU=IT,OU=CORP Users,DC=domain,DC=com))
FINE: LDAP: Group memberships found:  Application Administrators
FINE: LDAP: login succeeded for: kip
FINE: JAAS login complete.
FINE: JAAS authentication committed.

Answer 2

objectClass=Group, not objectCategory=group in your search filter.