I do not know if there is a way to get the LDAP login module to not attempt to get the role - I would have to dig through the source code to find out. I can think of two workarounds: 1) Subclass org.jboss.security.auth.spi.LdapLoginModule and code the subclass to ignore the role info and return a hard-set role. 2) Provide data for the various roles entries such that LDAP returns some value (could be anything - a department name, a country name, whatever) and use that as the role. Will you applications really have just one role? In other words, once someone signs in, do they have access to everything? If so, either of the above should work. View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=4233080#... Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&a...