I finally figured it out and thought I'd post what I found in case someone else has the same issue. Turned on the trace in jboss and read through the LdapLoginModule source code. The user I was trying to log in with wasn't in the Administrators or Readers role. Doesn't even matter if they're in the Users role. Think I'm going to use LdapExtLoginModule instead. Not sure if this is a parameter that can be turned off because I couldn't find any detailed documentation on adam. <module-option name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option> <module-option name="java.naming.provider.url">ldap://localhost:389/</module-option> <module-option name="java.naming.security.authentication">simple</module-option> <module-option name="principalDNPrefix">CN=</module-option> <module-option name="principalDNSuffix">,O=my.org</module-option> <module-option name="rolesCtxDN">O=my.org</module-option> <module-option name="roleAttributeID">CN</module-option> <module-option name="uidAttributeID">member</module-option> <module-option name="roleAttributeIsDN">false</module-option> <module-option name="roleNameAttributeID">name</module-option> <module-option name="allowEmptyPasswords">false</module-option> <module-option name="matchOnUserDN">true</module-option> View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4099009#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...