Hi all, It's about 2 days that i'm not able to resolve this problem. I'm trying to configure jboss to work with a webapplication that actually run under tomcat 5.5, but i'm not able to to configure LdapLoginModule. The page that should appear after login is in a protected area associated with a role "Cataloguer". This role is associated in LDAP tree, as an attribute of each users as value of field initials. When I try to login I receive an error 403 as the user isn't in the correct role. I trace in a public jsp request.getUserPrincipal().getName() and request.isUserInRole("Cataloguer"), and I call this page after my login. I see that the user Principal is correct but the condition isUserInRole return false. I activate trace information in log4j.xml for category "org.jboss.security.auth.spi" and this is the output . 2006-08-28 23:37:04,015 DEBUG [org.jboss.security.plugins.JaasSecurityManagerService] Added ldap-pdil, org.jboss.security.plugins.SecurityDomainContext@bc448b to map 2006-08-28 23:37:04,031 TRACE [org.jboss.security.auth.spi.LdapLoginModule] initialize, instance=@30675222 2006-08-28 23:37:04,031 TRACE [org.jboss.security.auth.spi.LdapLoginModule] login 2006-08-28 23:37:04,031 TRACE [org.jboss.security.auth.spi.LdapLoginModule] Logging into LDAP server, env={java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory, principalDNPrefix=cn=, java.naming.security.principal=cn=Cataloguer_1,ou=people,dc=mycompany,dc=com, roleAttributeID=initials, matchOnUserDN=false, principalDNSuffix=,ou=people,dc=soloreti,dc=net, allowEmptyPasswords=false, java.naming.provider.url=ldap://localhost:389/, roleAttributeIsDN=false, java.naming.security.authentication=simple, java.naming.security.credentials=***} 2006-08-28 23:37:04,078 TRACE [org.jboss.security.auth.spi.LdapLoginModule] Logged into LDAP server, javax.naming.ldap.InitialLdapContext@1ff83 2006-08-28 23:37:04,078 TRACE [org.jboss.security.auth.spi.LdapLoginModule] Rebind SECURITY_PRINCIPAL to: cn=Manager,dc=mycompany,dc=com2006-08-28 23:37:04,078 TRACE [org.jboss.security.auth.spi.LdapLoginModule] User 'Cataloguer_1' authenticated, loginOk=true 2006-08-28 23:37:04,078 TRACE [org.jboss.security.auth.spi.LdapLoginModule] commit, loginOk=true My application define 4 private area, each of them are associated to a role; in my LDAP role information is the attribute "initials" of the user. I configure an application policy under login-config.xml <application-policy name="ldap-pdil"> <!--<login-module code="org.jboss.security.auth.spi.LdapLoginModule" flag="required">--> <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required">--> <module-option name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option> <module-option name="java.naming.provider.url">ldap://localhost:389/</module-option> <module-option name="java.naming.security.authentication">simple</module-option> <module-option name="java.naming.security.principal">cn=Manager,dc=mycompany,dc=com/module-option> <module-option name="java.naming.security.credentials">secret</module-option> <module-option name="principalDNPrefix">cn=</module-option> <module-option name="principalDNSuffix">,ou=people,dc=mycompany,dc=com</module-option> <module-option name="matchOnUserDN">true</module-option> <module-option name="roleAttributeID">initials</module-option> <module-option name="roleAttributeIsDN">false</module-option> <module-option name="allowEmptyPasswords">false</module-option> </login-module> </application-policy> and i referenced it in my login module <login-config> <auth-method>FORM</auth-method> <realm-name>ldap-pdil</realm-name> <form-login-config> <form-login-page>/login.jsp</form-login-page> <form-error-page>/errors/loginFailedError.jsp</form-error-page> </form-login-config> </login-config> I think that i don't configure correctly these module option "matchOnUserDN", "roleAttributeID", "roleAttributeIsDN" : I try different value but the result is the same! Some one can help me? Why the user successfully login, but no role information are available? View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3967944#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...