It's unfortunate no one was able to suggest using an undocumented version of LdapLoginModule - I found the LdapExtLoginModule by searching the jboss source code. Once I found that, a search of the wikis led me to the excellent posting http://wiki.jboss.org/wiki/Wiki.jsp?page=LdapExtLoginModule and the problem was resolved within hours. For the benefit of others trying to use Ldap, don't waste time with the LdapLoginModule described in the Application Server Guide. Go directly to the LdapExtLoginModule for terminology and searching that more closely aligns with LDAP terminology and concepts. Below is the login-config.xml that works with my OpenLDAP: <!-- GM: Sept 27 2007 - A configuration for webapps using an OpenLDAP running on this server. --> <application-policy name="localhostLDAP"> <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required"> <module-option name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option> <module-option name="java.naming.provider.url">ldap://127.0.0.1:389/</module-option> <module-option name="java.naming.security.authentication">simple</module-option> <module-option name="bindDN">cn=administrator,dc=saanich,dc=ca</module-option> <module-option name="bindCredential">admin1</module-option> <module-option name="baseCtxDN">ou=People,dc=saanich,dc=ca</module-option> <module-option name="baseFilter">(cn={0})</module-option> <module-option name="rolesCtxDN">ou=Webapp-Roles,ou=Groups,dc=saanich,dc=ca</module-option> <module-option name="roleFilter">(member={1})</module-option> <module-option name="uidAttributeID">member</module-option> <module-option name="roleAttributeID">cn</module-option> <module-option name="roleNameAttributeID">cn</module-option> <module-option name="roleAttributeIsDN">true</module-option> </login-module> </application-policy> View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4089560#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...