Scott this is similar to what we here (http://www.jboss.com/index.html?module=bb&op=viewtopic&t=69569&am...) in UserRolesLoginModule (which allowed you to check the incoming PWD against MD5HEX[PWD+SharedSecret]). This is sorta the reverse since the password is used to hash the secret. If you look here: http://www.faqs.org/rfcs/rfc2222.html at their IMAP example. Supposing that a JBoss login module provides the user/password then w/o exposing user/password up the stack, this allows you to use the login module to authenticate w/sasl using any of the existing JBoss login modules. Allowing JBoss to authenticate to LDAP w/sasl is an othogonal concern (probably more suited to later extension of what is presently the LdapExtLoginModule thingy). Dos that make sense? View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4028516#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...