Its definitely a bug. The LdapExtLoginModule is relatively new and might not have undergone serious user testing :). Another thing missing is that the login modules dont provide a role mapping capability to map groups from ldap to roles that are different from the group name!!
Thanks for the reply, niwhsa!
The good news is that LdapExtLoginModule does allow you to map roles with LDAP Groups, no matter the name, which is why I'm so excited about it.
I found the bug, and submitted it to JIRA. It was put into 4.0.3Final.
I finally got it working to map ANY roles I created to ANY groups already defined in my AD Environment. What a lifesaver! Love it!