Thanks for your replie! Now I got the authorization working, by modifying the login-conf.xml domain params. But I am only getting the role names and not the DNs. That's essential, because the LDAP dir is quite hughe and most of the groups are containing user, poweruser and admin by default. But if it only resolves the role names it means, that a user just have to be in any group called user - no matter if its cn=user,ou=app1 or cn=user,ou=app2. Any chance to make this work? Thanks Zwitsch View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3992201#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...