"bdaw" wrote : I recently added SynchronizingLdapLoginModule that extends LdapLoginModule from JBossSX and SynchronizingLdapExtLoginModule that does the same for LdapExtLoginModule You can use them to | - just authenticate against LDAP + inject additional role principal which is used to secure portal application | - authenticate against LDAP + synchronize ldap user into portal DB | - authenticate against LDAP + synchronize ldap user into portal DB + assign such user to specified portal role | - authenticate against LDAP + synchronize ldap user into portal DB + assign such user to specified portal role + try to synchronize all the roles obtained for such user from LDAP into portal DB | ... | You need to remember that it's hard to decouple users and roles because of relationship. So you can't just keep users in LDAP and roles in DB. | ... | | Hi bdaw, Like dhartford, I need to use the LDAP for authentiation (username/password) only and not store any role information there. It seems like from your Use Case #1 that this is possible by just authenticating and then synchronizing users/new roles to DB, but I am confused as to what to use for my config settings in jboss-service.xml, login.config-xml, as well as identity-config.xml. Which login modules should I use and what options should I set? I am just using a test LDAP (OpenDS) for getting the proof of concept. Thanks for any advice you can give. JBoss Portal Version : 2.6.2 Bundled Downloaded Portal, not from CVS JBoss AS Version: 4.2.1 Database Vendor and Version: MySQL JDBC Connector and Version: MySQL connector/J 5.1 OS Platform: Windows XP Pro View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4100817#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...