Hello bdaw, it works :). Great thx a lot for your help. Here is my setup. 1. Update $JBOSS_HOME\server\default\deploy\jboss-portal.sar\conf\login-config.xml an replace existing <!-- <application-policy name="portal"> | <authentication> | <login-module code="org.jboss.portal.identity.auth.IdentityLoginModule" flag="required"> | <module-option name="unauthenticatedIdentity">guest</module-option> | <module-option name="userModuleJNDIName">java:/portal/UserModule</module-option> | <module-option name="roleModuleJNDIName">java:/portal/RoleModule</module-option> | <module-option name="additionalRole">Authenticated</module-option> | <module-option name="password-stacking">useFirstPass</module-option> | </login-module> | </authentication> | </application-policy> --> with <application-policy name="portal"> | <authentication> | <login-module code="org.jboss.portal.identity.auth.IdentityLoginModule" flag="sufficient"> | <module-option name="unauthenticatedIdentity">guest</module-option> | <module-option name="userModuleJNDIName">java:/portal/UserModule</module-option> | <module-option name="roleModuleJNDIName">java:/portal/RoleModule</module-option> | <module-option name="additionalRole">Authenticated</module-option> | <module-option name="password-stacking">useFirstPass</module-option> | </login-module> | <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required" > | <module-option name="java.naming.factory.initial"> | com.sun.jndi.ldap.LdapCtxFactory | </module-option> | <module-option name="java.naming.provider.url"> | ldap://bridge6.eu.boschrexroth.com:389/ | </module-option> | <module-option name="java.naming.security.authentication"> | simple | </module-option> | <module-option name="baseCtxDN">ou=People,o=boschrexroth</module-option> | <module-option name="baseFilter">(uid={0})</module-option> | <module-option name="rolesCtxDN">ou=Groups,o=boschrexroth</module-option> | <module-option name="roleFilter">(member={1})</module-option> | <module-option name="roleAttributeID">member</module-option> | <module-option name="roleRecursion">-1</module-option> | <module-option name="roleNameAttributeID">cn</module-option> | <module-option name="roleAttributeIsDN">true</module-option> | <module-option name="searchTimeLimit">5000</module-option> | <module-option name="searchScope">SUBTREE_SCOPE</module-option> | </login-module> | </authentication> | </application-policy> We use LdapExtLoginModule, due to a hierarchical structure in our LDAP server. As our structure is equal to example1.ldif (http://wiki.jboss.org/wiki/Wiki.jsp?page=LdapExtLoginModule) i set the module-options "roleAttributeIsDN" and "roleNameAttributeID" (in our case "cn"). Add the IdentityLoginModule with flag="sufficient", if you want the existing default admin and user still login. 2. Create a role in LDAP with name "Authenticated" and add all users, which you want to login as members to the role. I`m sure you also can map the security-constraint in portal-server.war\WEB-INF\web.xml, to any other already existing role, but never tested that. Regards Oliver View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3987962#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...