See: https://jira.jboss.org/jira/browse/JBAS-2681 and more particularly: https://jira.jboss.org/jira/secure/attachment/12330504/ldapextpatch I originally wrote the LdapExtLoginModule in a hurry for a client and it had stacking, scott stark refactored and committed it. Then I guess stacking was broken at some point or someone didn't understand the configuration details for making it work. This patch adds some new features mainly so that I can use Microsoft's certificate server with Microsofts active directory. It adds back stacking (or basically "don't authenticate mode" so long as the username IS the DN (which is how I think it worked before) and allows you to munge a bit off the DN (because Microsoft's certs have a principal that doesn't match AD). I can't provide a very decent test case because you have to buy a bunch of stuff to even attempt to run it, but I've tested it on 4.3. The bug details how. Let me know if anyone has any objections, suggestions or improvements. If not I'll commmit to whatever is the active branch. Thanks, Andy View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=4268401#... Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&a...