Ok, i guess if you wanted to map an ldap group to admin role, then yes you should modify in sun-web.xml. But then the reason it maynot be working is because the authorization policies for the admin-app have not been regenerated after all your changes.
You would have to redeploy the admin app after your changes to force regeneration of the policies.
the policy file will be located in : glassfish\domains\domain1\generated\policy\adminapp\adminapp\granted.policy
If you see by default it would have a grant statement only for the Group named "asadmin"
so if for some reason you are unable to force redeploy of the adminapp then you can actually edit the granted.policy file and add a second grant ... { } for the ldap group. The contents could be be an identical copy of the contents for "asadmin" group.
[Message sent by forum member 'kumarjayanti' (kumarjayanti)]
http://forums.java.net/jive/thread.jspa?messageID=328126