The LoginModule RoleSets correspond to one user. So there's not a race condition.
I'm currently using Novell LDAP libs with a custom LoginModule, that extends the LdapLoginModule.
Let me know if you have any issues. Our LDAP schema is custom, so it may not be exactly what you use, but the technical issues should be pretty similar.
A new LoginModule is created for each login when authentication is required. The roles for the user are obtained from the resulting subject outside of the authentication call and does not use the getRoleSets as this was used to populate the Subject. Read the JAAS howto for more info on how the login modules are used.