Hello bdaw, ok i will try first to create a test role in LDAP called "Authenticate". Maybe i`ve to play a bit with "roleAttributeIsDN" option. Where can i turn on the DEBUG output for AuthenticatorBase, RealmBase and FormAuthenticator like in post http://jboss.org/index.html?module=bb&op=viewtopic&t=91871? My log4j.xml option in conf directory for org.jboss is on DEBUG, but i don`t get this output in server.log. For http://jira.jboss.com/jira/browse/JBPORTAL-1047 this could maybe helpful: 1. Set it up like IdentityLoginModule, where you can set an "additionalRole" as moddule-option. Normally (anyway in our company) there no such "global" role in LDAP for users. (I check for e.g. SAP NetWeaver and there exists also a built in "Authenticated Users" role.) 2. Another idea is to built in filters on users and roles, so that you can have your default admin and user users be authenticated against the portal database instead of LDAP, like <module-option name="ldapUserFilter">admin, user</module-option> <module-option name="ldapUserFilter">Administrators,Users</module-option> 3. Attribute mapping between portal and ldap with access-option like read-write or read only. Portal attributes which are not mapped against LDAP should be stored in portal db an be merged with the principals. Hope this gives you some ideas for a powerful LDAP implementation. Regards Oliver View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3987734#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...