Alejandro and Mauricio are correct. The LDAPIdentityProvider is designed to use the InetOrgPerson schema which is standard LDAP schema. However, I think the use of cn and sn in its current implementation is not correct. I would prefer to use uid instead of cn, and still not sure how to represent the "activation" field. using sn is confusing. I initially used these, since the LDAP repo that I was connecting with had the data setup that way. However, its time the out-of-the-box LDAP impl moves away from that semantics and uses uid and something else for representing "account activation" Part of the reason I have not changed it, is also keeping backward compatibility with existing users who have setup their LDAP repo based on this impl. I think the cleanest approach will be leave this LDAPIdentityProvider impl as is, and introduce a new one that maps the data in a more standard manner. I apologize for the confusion that the hackish usage of 'sn' created ;) If I were Hillary Clinton then I would say "I mis-coded" ;) Thanks View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4141802#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...