I get 403 error when test the ldap auth. It seems that the password authentication is ok because no error is in the server.log. Therefore, it means something is wrong in role authentication. As my ldap server does not have role design and information, I want to use the same tree (class) for the role authentication. For example, the one attribute of "userclass" or "department" will be used for role authentication. Please help to point out how to config my ldap authentication. My setting is as the following: <application-policy name = "testLdapExample1"> <login-module code="org.jboss.security.auth.spi.LdapLoginModule" flag="required"> <module-option name="java.naming.factory.initial"> com.sun.jndi.ldap.LdapCtxFactory </module-option> <module-option name="java.naming.provider.url"> ldap://ldap.my.com/ </module-option> <module-option name="java.naming.security.authentication"> simple </module-option> <module-option name="principalDNPrefix">uid=</module-option> <module-option name="principalDNSuffix">,ou=People,o=my.com</module-option> <module-option name="rolesCtxDN">,ou=People,o=my.com</module-option> <module-option name="uidAttributeID">uid</module-option> <module-option name="matchOnUserDN">true</module-option> <module-option name="roleAttributeID">uid</module-option> <module-option name="roleAttributeIsDN">false</module-option> <module-option name="searchTimeLimit">5000</module-option> <module-option name="searchScope">ONELEVEL_SCOPE</module-option> </login-module> </application-policy> View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=4232926#... Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&a...