I had exactly the same problem but luckily I was pointed in the correct direction by one of the above posts. After much looking through code I discovered that the handling of groups is quite different depending on the use of posixGroup or not. The documentation refers that if your using just the usernames in the group mapping then you should enable this. If you use full DNs (like me) then you should disable this regardless of what people tell you in other posts about fixing this problem. BUT, if you disable this, then by default the group mapping still tries to quote the userDN that is used to search for and therefore inserts " into the userDN string… simply wrong… After looking further I found a hidden little option called ldap.quoteUserDN (I maybe wrong because I’'m not at work at the mo). Simply insert this into your wilfire.xml and set to false.