Hi, I have developed a new LDAP Login Module with a comparable functionality like the org.jboss.security.SimpleGroup.LdapLoginModule. The org.jboss.security.SimpleGroup.LdapLoginModule did a good job but when I tried to configure my IBM Lotus Domino Server with this Modul I run into some problems. The first was that I could not configure that the user authenticates with an UserID but the CallerPricipal should be the destinguished name of the user. This is needed if you implementing an application with business logic that needs the "real" name of the user and not the login name when calling getCallerPrincipal(). Maybe this is a special functionality of IBM Lotus Domino LDAP that you can login with different names (?). The second problem was that the LdapLoginModul only returns Roles (Groups) where the user is member but not Groups which are encapsulated. E.g. User is member of "Group A" and "Group A" is member of "Group B". So you got only the "Group A" in the Roles Set but not "Group B". I implemented the new Login Modul org.imixs.jboss.security.LdapLoginModuleExt. This Class addresses this two issues and works perfectly with the Lotus Domino LDAP Directory. I think this Modul can be an alternative to the org.jboss.security.auth.spi.LdapLoginModule. I documented the Code at: http://www.imixs.org/websites/imixs-org.nsf/chapter/0300.0100.0020.?OpenD... and posted the source code also at: http://www.imixs.org/websites/imixs-org.nsf/chapter/0100.0042./$file/org.... There are some ishues I could not implement (like the decode Function) which is protected in the org.jboss.security.auth.spi package. Let me know if this Login module is of interest for you. Ralph View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3971966#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...