We do want to refactor the login modules to only be focused on authentication with roles coming from an authorization phase. For legacy compatibility they still need to be able to pull in the roles where that capability exists. Have you tested the sasl with an ldap server that supports it? I would't think that this could be integrated at the login module level since it tends to come in at the jndi level. View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4028019#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...