Let me give you some more information.
I have tried using the jboss ldaploginmodule with a tomcat jaas realm. I have been able to authenticate agains active directory, but the only group returned was Roles. From reading some jboss documentation, I think that the active directory groups are a subgroup to Roles. This seems to be specific to Jboss, because Tomcat isn't expecting the groups to be in a subgroup.

So I've tried to use jboss completely to see if that would fix the problem. Now, I can authenticate, but there are no groups returned. Do I need to specify what implementation of userprinciple to use, like I did in the tomcat realm? I try to log into a protected directory and access is denied. Then I go to a jsp page that is unprotected that returns <%=request.getUserPrincipal()%> which only shows my username. So I dont understand why I can't access the group information. I'm using Form based authentication. Thanks

Here is my login-config.xml entry

<application-policy name = "web-console">

<login-module code="org.jboss.security.auth.spi.LdapLoginModule"
flag = "required">
<module-option name="java.naming.provider.url">ldap://myserver/</module-option>
<module-option name="rolesCtxDN">dc=asrs,dc=local</module-option>
<module-option name="uidAttributeID">userPrincipalName</module-option>
<module-option name="roleAttributeID">memberOf</module-option>
<module-option name="roleAttributeIsDN">true</module-option>
<module-option name="roleNameAttributeID">name</module-option>
</login-module>

</application-policy>