Thanks for your help, Brian, Karin and Dennis. I eventually got it working. It works fine for the 1.0 and 1.1 M2 versions. For reference, here is my LDAP section from xwiki.cfg: # LDAP config for AD server xwiki.authentication.ldap=1 xwiki.authentication.ldap.authclass=com.xpn.xwiki.user.impl.LDAP.LDAPAuthServiceImpl xwiki.authentication.ldap.server=adserver xwiki.authentication.ldap.check_level=1 xwiki.authentication.ldap.port=389 xwiki.authentication.ldap.base_DN=dc=subdomain,dc=domain,dc=suffix xwiki.authentication.ldap.bind_DN=subdomain\\{0} xwiki.authentication.ldap.bind_pass={1} xwiki.authentication.ldap.UID_attr=sAMAccountName xwiki.authentication.ldap.fields_mapping=name=sAMAccountName,last_name=sn,first_name=givenName,fullname=displayName,mail=mail,ldap_dn=dn Another configuration, for authenicating with OpenLDAP (this server is not on a subdomain). This server has unusual field names. # LDAP config xwiki.authentication.ldap=1 xwiki.authentication.ldap.authclass=com.xpn.xwiki.user.impl.LDAP.LDAPAuthServiceImpl xwiki.authentication.ldap.server=ldapserver xwiki.authentication.ldap.check_level=1 xwiki.authentication.ldap.port=389 xwiki.authentication.ldap.base_DN=dc=domain,dc=suffix xwiki.authentication.ldap.bind_DN=miloginid=<usernameforbind>,midomainname=primary,ou=domains,dc=<domain>,dc=<suffix> xwiki.authentication.ldap.bind_pass=<passwordforbind> xwiki.authentication.ldap.UID_attr=miloginid #xwiki.authentication.ldap.fields_mapping=name=miLoginid,first_name=cn,fullname=cn,mail=mail,ldap_dn=miLoginid xwiki.authentication.ldap.fields_mapping=name=miLoginid I did find the process to be quite difficult to diagnose problems. More informative errors messages would be helpful. No matter what setting I put in the log4j configuration, I couldn't get any detailed debug messages about where the authentication was failing. It works great once configured properly. Accounts are created in the xwiki user database, using the information from the ldap.fields_mapping field. If that mapping is not specified, no account is created, and the user is logged in without having a profile in xwiki, leading to the user not being a member of any group. It is possible to create accounts in xwiki for users who do not appear in the LDAP database. If any fields are mapped wrong, or any bind information is wrong, you get the "authentication failed" message in the log. Hopefully these details will be helpful to someone at a later date. Joe