Option roleRecursion does not work in org.jboss.security.mapping.providers.role.LdapRolesMappingProvider. Only entries without recursion are found. No recursive search is done by LdapRolesMappingProvider since LdapRolesMappingProvider.rolesSearch method tries to make a recursive search with same parameters.
Use security domain configuration as following for reproducing:
<security-domain name="test">
<authentication>
<login-module code="UsersRoles" flag="required">
<module-option name="rolesProperties" value="roles.properties"/>
<module-option name="usersProperties" value="users.properties"/>
</login-module>
</authentication>
<mapping>
<mapping-module code="LdapRoles" type="role">
<module-option name="bindDN" value="uid=admin,ou=system"/>
<module-option name="bindCredential" value="secret"/>
<module-option name="java.naming.provider.url" value="ldap://localhost:10389"/>
<module-option name="roleFilter" value="member=uid\={0},ou\=People,dc\=jboss,dc\=org"/>
<module-option name="rolesCtxDN" value="ou=Roles,dc=jboss,dc=org"/>
<module-option name="roleAttributeID" value="cn"/>
<module-option name="roleRecursion" value="2"/>
</mapping-module>
</mapping>
</security-domain>