Well, to be sure 100%, we would need to see the objectclass definition.

But here's my interpretation:
the left side of the tree is one entry in the LDAP, identified by cn=JBossSX Tests
the right side of the tree is another entry in LDAP, identified by uid=jduke

The relation between the 2 seems to be that an object in Roles (the left side of the tree) can have one (or probably several) attributes named userid
These would refer to the users in the group, and the content of that attribute must be a key in the right side of the tree.

roleName is the role name you would use in your EJB deployment descriptors for role-based permissions.

I hope that makes sense. I'm sort of guessing, as myself I'm using a custom ldap login module (so that I have more flexibility with the LDAP structures)

I didn't actually give a huge amount of thought about how to organize the roles: because the analysts were supposed to say how the roles are to be organized - about 1,5 years ago and they still haven't told me ;)

So this is precisely why I want my own LoginModule, so that I can adapt my code to whatever stupid structure the analysts come up with.

It's quite easy really if you subclass a JBoss base class such as org.jboss.security.auth.spi.UsernamePasswordLoginModule

I'm going to try to attach my module to this posting. I've encapsulated the actual access to LDAP in utility classes, to reduce the login module code to a minimum.

sorry, in the previous posting I attached the wrong file.

This one should contain the correct attachment.