Hello Ashutosh and thanks for the replies.
After a lot of trial and error I have made it work with the following application policy.
<!-- Application policy for ActiveDirectory -->
<application-policy name="ActiveDirectory">
<authentication>
<login-module
code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required" >
<module-option
name="java.naming.provider.url">ldap://ldaphost:389/</module-option>
<module-option
name="bindDN">CN=xxx,OU=xxx,DC=xxx,DC=xxx</module-option>
<module-option
name="bindCredential">xxx</module-option>
<module-option
name="baseCtxDN">OU=Users,OU=xxx,OU=xxx,DC=xxx,DC=xxx</module-option>
<module-option
name="baseFilter">(sAMAccountName={0})</module-option>
<module-option
name="rolesCtxDN">OU=Groups,OU=xxx,OU=xxx,DC=xxx,DC=xxx</module-option>
<module-option
name="roleFilter">(member={1})</module-option>
<module-option
name="roleAttributeID">CN</module-option>
<module-option
name="allowEmptyPasswords">false</module-option>
</login-module>
<login-module
code="org.jboss.security.auth.spi.RoleMappingLoginModule" flag="required"
>
<module-option
name="password-stacking">useFirstPass</module-option>
<module-option
name="rolesProperties">props/roles.properties</module-option>
</login-module>
</authentication>
</application-policy>
The file roles.properties contains the mapping of AD groups to roles. This way I can map the application policy to be used in jboss-web.xml for the different apps (and admin/jmx-console) without having to edit the names of the application roles.
I have not however managed to map single users to roles, only groups, so I might look into the other module you posted.
Thanks for your help.
BTW allowEmptyPasswords is NASTY! :D