I recently added SynchronizingLdapLoginModule that extends LdapLoginModule from JBossSX and SynchronizingLdapExtLoginModule that does the same for LdapExtLoginModule You can use them to - just authenticate against LDAP + inject additional role principal which is used to secure portal application - authenticate against LDAP + synchronize ldap user into portal DB - authenticate against LDAP + synchronize ldap user into portal DB + assign such user to specified portal role - authenticate against LDAP + synchronize ldap user into portal DB + assign such user to specified portal role + try to synchronize all the roles obtained for such user from LDAP into portal DB as you see it can be quite flexible. It's in svn trunk and will be in beta but there is no documentation. Just look at commented block of code in login-config.xml - minimal documentation is in comment block You need to remember that it's hard to decouple users and roles because of relationship. So you can't just keep users in LDAP and roles in DB. With current identity modules implementation you can keep most imformation about users directly in LDAP anyway. This is documented for beta. View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4018915#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...