Lotus Domino
<Realm className="org.apache.catalina.realm.JNDIRealm" debug="99" connectionURL="ldap://ldap.company.com:389" roleSearch="(member={0})" roleName="cn" userSearch="(cn={0})" />
Oracle Internet Directory (OID)
<Realm className="org.apache.catalina.realm.JNDIRealm" debug="99" connectionURL="ldap://ldap.company.com:389" roleBase="cn=Groups,dc=company,dc=com" roleSearch="(uniquemember={0})" roleName="cn" userBase="cn=Users,dc=company,dc=com" userSearch="(uid={0})" />
Microsoft Active Directory
<Realm className="org.apache.catalina.realm.JNDIRealm" debug="99" connectionURL="ldap://ldap.company.com:3268" authentication="simple" referrals="follow" connectionName="cn=LDAPUser,ou=Service Accounts,dc=company,dc=com" connectionPassword="VerySecretPassword" userSearch="(sAMAccountName={0})" userBase="dc=company,dc=com" userSubtree="true" roleSearch="(member={0})" roleName="cn" roleSubtree="true" roleBase="dc=company,dc=com" />
The port number (3268) connects to the global catalog. This is important because 389 might throw errors when getting referrals. (It sends a referral to ldap://company.com:389.) With this setting we don't have to change anything in /etc/hosts.
For a reference on startTLS, see Self:JNDI_startTLs_HowTo