Hi, sorry for coming back to this so late, I got distracted by some other work. Maybe I am misunderstanding something, but I still think there is a bug around. The filter you posted works and all, but in a real-world scenario, that's not what one would use for a filter. The filter is constructed by the code, one would not directly add LastName, FirstName for a filter, or only that specific user would be found. If you look at the log snippets I pasted in a previous post, here is what happens: The user enters his credentials in the login box. The code finds the record for that user, and from that record, it takes the DN. From that DN (which may contain a comma), it constructs the search filter to search for roles. Now, if the DN does contain a comma, no roles are found, because the code does not escape the comma correctly. There is no way I can fix this by adapting the filters in my config, or am I missing something? Thanks, Tobias View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4069046#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...