LDAP authentication fails (HTTP 401 returned) when login module option searchScope=OBJECT_SCOPE is used. This problem is caused by searching attributes for role DN which starts with comma - e.g. ",cn=JBossAdmin,ou=Roles,dc=jboss,dc=org". You can reproduce it by following configuration: Security domain: <security-domain name="ldap"> <authentication> <login-module code="AdvancedLdap" flag="required"> <module-option name="bindDN" value="uid=admin,ou=system"/> <module-option name="bindCredential" value="secret"/> <module-option name="baseCtxDN" value="ou=People,dc=jboss,dc=org"/> <module-option name="searchScope" value="OBJECT_SCOPE"/> <module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/> <module-option name="java.naming.provider.url" value="ldap://localhost:10389"/> <module-option name="throwValidateError" value="true"/> <module-option name="baseFilter" value="(uid={0})"/> <module-option name="roleFilter" value="(member={1})"/> <module-option name="roleAttributeID" value="cn"/> <module-option name="rolesCtxDN" value="cn=JBossAdmin,ou=Roles,dc=jboss,dc=org"/> <module-option name="java.naming.security.authentication" value="simple"/> </login-module> </authentication> </security-domain> LDIF for role: dn: ou=People,dc=jboss,dc=org objectclass: top objectclass: organizationalUnit ou: People dn: uid=jduke,ou=People,dc=jboss,dc=org objectclass: top objectclass: person objectclass: inetOrgPerson uid: jduke cn: Java Duke sn: Duke userPassword: Password1 dn: ou=Roles,dc=jboss,dc=org objectClass: top objectClass: organizationalUnit ou: Roles dn: cn=JBossAdmin,ou=Roles,dc=jboss,dc=org objectClass: top objectClass: groupOfNames cn: JBossAdmin member: uid=jduke,ou=People,dc=jboss,dc=org It seems the method AdvancedLdapLoginModule.canonicalize() causes this problem.