Thank you Ben, it works. Here's what i did. In auth. Server, i declared our corporate ldap directory, where CN are consistent with ACE usernames. I set the base DN and the filter to get the user entry and also the base DN, the filter and the name of the member attribute to get the group membership of the user. My java LDAP Browser was very helpful. In the target user-realm general tab, i declared my ace server as authentication and my ldap server as Directory/attribute server. Then in the role mapping tab when i was able to select Group membership in the "rule based on" combo-box. Then by pressing the "Groups..." button then the "Search..." button in the popup, i was able to select the ad-hoc ldap group that my ldap admin created. Then i selected the role for that role-mapping rule. The test with the ad-hoc user worked as expected (well). The policy tracing confirmed that the group membership is determined by querying the ldap server.
... View more