security role mapping from ad groups to glassfish roles

I use a glassfish application server and authenticate over active directory. here my ldapRealm:

JAAS Context:  ldapRealm
Directory: ldap://server:389  
Base DN:  ou=group,dc=company-ps,dc=com
Assign Groups:authorized
group-search-filter: (&(objectClass=group)(member=%d))

I also specified search-filter, search-bind-dn and search-bind password, but these values are not important becuase my authentication works.

What is not working is my mapping from the ad groups to the roles in my sun-application.xml

<security-role-mapping>
  <role-name>authorized</role-name>
  <group-name>???</group-name>
</security-role-mapping>

My question is now: What do I have to write instead of the ???: I tried many things. I used the dn of the groups (something like CN=groupName,OU=Organizational Unit, DC=,... only the group Name but nothing worked.

What a开发者_高级运维m I doing wrong?

Ok, I found my mistake. The base-dn is used for the group search by default and this was too restrictive. Now it works.

Matthias