"kukeltje" wrote : The IdentityService is an interface as are Identity, User, Group and Membership. So I can easily implement my own LDAPIdentityService. Great... That is not the intention. And I believe it would be very hard to do. The main problems I see with a generic identity interface for DB & LDAP are : 1) For DB/hibernate you can use lazy loading and hibernate proxies. So you can easily navigate the plain object model. In LDAP, you typically have navigation methods as part of your session facade. 2) In situations as described in 1) and others, the session facade will be a compromise. Users have either a DB or an LDAP in their environment. So they don't want to take the compromise as for them, they want full access and power of either the DB or the LDAP solution. This discussion is interesting as inside of JBoss, there is an initiative to define exactly that identity interface with the DB and LDAP implementations. I will keep an eye on that to see what kind of compromise they will come up with. For the time being, we'll focus on a DB backed interface. View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4154933#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...