the url-pattern you used in your security-constraint is relative to the context root.
so you have protected /ldap/ldap/*, but I don't think /ldap/* is protected. Maybe that is what you intended.
In any event, I would expect you to be able to access /ldap without authenticating, in which case request.getUserPrincipal() would return null.
also in your principal2Role mapping you have attempted to map the Group "*" to
the role "Users". I don't think that will work. you will need to provide the name of the group you want to be mapped to the role.
you might find the following posting useful.
http://blogs.sun.com/monzillo/date/20080115
Ron
[Message sent by forum member 'monzillo' (monzillo)]
http://forums.java.net/jive/thread.jspa?messageID=272318