Apart from some small code areas to tidy up I have one area that still needs to be decided before we can release the first GA. The implementation of the login module requires an LDAP login module to be chained so that the LDAP login module can perform the roles search. Our existing login modules were not really up to the job for this so the JBoss Negotiation project now contains a new login module: - org.jboss.security.negotiation.AdvancedLdapLoginModule https://jira.jboss.org/jira/browse/SECURITY-133 This new login module no longer extends the 'UsernamePasswordLoginModule' as it was this design pattern that was making using this login module for just role searches difficult. The new login module is very similar to the 'LdapExtLoginModule', the roles search is subtly different from the 'LdapExtLoginModule' roles search but I could modify this to be compatible if needed. In addition to this the new login module can authenticate itself against LDAP using GSSAPI and a local keytab. The questions are: - Are we happy to have a third LDAP login module? Where should it live? Although the JBoss Negotiation project was the driving need for this module there is no reason for the module itself to be part of JBoss Negotiation. View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4194376#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...