The "userPrincipalName" attribute is used for login and querying user roles. It is built by concating username and a principalSuffix. Large ActiveDirectory installations may use multiple user principal name suffices. For such scenarios, OntoBroker 6.1 now supports a list of user principal name suffices. In this case, the configuration for the ActiveDirectory realm may look like this:

<bean id="ActiveDirectory" class="com.ontoprise.security.realm.ActiveDirectoryExRealm">

      <property name="ldapContextFactory">

        <bean class="com.ontoprise.security.realm.AdLdapContextFactory">

            <property name="searchBase"><value>dc=mycompany,dc=com</value></property>

            <property name="systemUsername"><value>admin</value></property>

            <property name="systemPassword"><value>admin</value></property>

            <property name="principalSuffixList">

              <list>

                  <value>@ads.mycompany.com</value>

                  <value>@ads2.mycompany.com</value>

              </list>

            </property>

            <property name="url"><value>ldap://domaincontroller.mycompany.com:389/</value></property>

        </bean>

    </property>

    <!-- search base for groups -->

    <property name="searchBase"><value>OU=Karlsruhe,DC=ads,DC=mycompany,DC=com</value></property>    

    <property name="groupRolesMap"><map>

        <entry key="CN=group1,OU=Karlsruhe,DC=ads,DC=mycompany,DC=com" value="group1"/>

        <entry key="CN=group2,OU=Karlsruhe,DC=ads,DC=mycompany,DC=com" value="group2"/>

    </map></property>

  </bean>