I have a group in AD with this DN: CN=group/slash Test,CN=Users,DC=jbossuk,DC=redhat,DC=com and a user belonging to this group. RecurseRoles is set to true Running test 3 of the negotiation toolkit fails. Debugging led to: org/jboss/security/negotiation/AdvancedLdapLoginModule.java protected void obtainRole(LdapContext searchContext, String dn) throws NamingException, LoginException which bombs out with the exception: Caused by: javax.naming.NamingException: [LDAP: error code 1 - 000020D6: SvcErr: DSID-031007DB, problem 5012 (DIR_ERROR), data 0 ]; remaining name 'CN=group/slash Test,CN=Users,DC=jbossuk,DC=redhat,DC=com' Further debugging led to a fix - here is the function that needs modifying: protected void obtainRole(LdapContext searchContext, String dn) throws NamingException, LoginException { if (log.isTraceEnabled()) log.trace("rolesSearch resultDN = " + dn); String[] attrNames = {roleAttributeID} ; Attributes result = searchContext.getAttributes(dn, attrNames); if (result != null && result.size() > 0) { Attribute roles = result.get(roleAttributeID); for (int n = 0; n < roles.size(); n++) { String roleName = (String) roles.get ; if (roleAttributeIsDN) { // Query the roleDN location for the value of roleNameAttributeID String baseRoleDN = roleName; String roleDN = "\"" + baseRoleDN + "\""; loadRoleByRoleNameAttributeID(searchContext, roleDN); recurseRolesSearch(searchContext, baseRoleDN); ... rewrite the last bit to: // Query the roleDN location for the value of roleNameAttributeID String roleDN = "\"" + roleName + "\""; loadRoleByRoleNameAttributeID(searchContext, roleDN); recurseRolesSearch(searchContext, roleDN); this way, recurseRolesSearch gets the quoted role which prevent the JVM ldap code to throw the aforementioned exception.