Let me give you some more information.
I have tried using the jboss ldaploginmodule with a tomcat jaas realm. I have been able to authenticate agains active directory, but the only group returned was Roles. From reading some jboss documentation, I think that the active directory groups are a subgroup to Roles. This seems to be specific to Jboss, because Tomcat isn't expecting the groups to be in a subgroup.
So I've tried to use jboss completely to see if that would fix the problem. Now, I can authenticate, but there are no groups returned. Do I need to specify what implementation of userprinciple to use, like I did in the tomcat realm? I try to log into a protected directory and access is denied. Then I go to a jsp page that is unprotected that returns <%=request.getUserPrincipal()%> which only shows my username. So I dont understand why I can't access the group information. I'm using Form based authentication. Thanks
Here is my login-config.xml entry
<application-policy name = "web-console">
flag = "required">