Several points in no particular order.
1) The realm name is indeed only important for basic authentication.
2) How to set up a realm in
Tomcat is described in the docs. For LDAP you need a
JNDIRealm.
3) What good is an LDAP server if it doesn't let you assign multiple roles to a user? I'd suggest rechecking that with the admin and making clear that that is a requirement.
4) It is possible to have multiple security-constraints, but I don't think you can have more than one login-config. So there wouldn't be a need to associate a login-config to a security-constraint, because there can only ever be a single one.
5) If setting up LDAP properly isn't possible, you could roll your own Realm, which accesses both LDAP and some other source where you define any additional roles. On the above-linked page, the last paragraph of the "What is a Realm" section briefly outlines how to go about that, and of course the source code for all Tomcat realms is available for study.
[ October 20, 2005: Message edited by: Ulf Dittmer ]