step1: Guvnor

brms.ldif

dn: o=brms,dc=my-domain,dc=com
objectclass: top
objectclass: organization
o: brms

dn: ou=People,o=brms,dc=my-domain,dc=com
objectClass: top
objectClass: organizationalUnit
ou: People

dn: uid=admin,ou=People,o=brms,dc=my-domain,dc=com
objectclass: top
objectClass: uidObject
objectclass: inetOrgPerson
objectclass: person
uid: admin
cn: admin
sn: admin
userPassword: admin

dn: uid=john,ou=People,o=brms,dc=my-domain,dc=com
objectclass: top
objectClass: uidObject
objectclass: inetOrgPerson
objectclass: person
uid: john
cn: john
sn: john
userPassword: john

dn: uid=mary,ou=People,o=brms,dc=my-domain,dc=com
objectclass: top
objectClass: uidObject
objectclass: inetOrgPerson
objectclass: person
uid: mary
cn: mary
sn: mary
userPassword: mary

dn: ou=Roles,o=brms,dc=my-domain,dc=com
objectClass: organizationalUnit
objectClass: top
ou: Roles

dn: cn=admin,ou=Roles,o=brms,dc=my-domain,dc=com
objectClass: top
objectClass: groupOfNames
cn: admin
description: brms admin role
member: uid=admin,ou=People,o=brms,dc=my-domain,dc=com

dn: cn=user,ou=Roles,o=brms,dc=my-domain,dc=com
objectClass: top
objectClass: groupOfNames
cn: user
description: brms user role
member: uid=admin,ou=People,o=brms,dc=my-domain,dc=com
member: uid=john,ou=People,o=brms,dc=my-domain,dc=com
member: uid=mary,ou=People,o=brms,dc=my-domain,dc=com

delete.dn

o=brms,dc=my-domain,dc=com
ou=People,o=brms,dc=my-domain,dc=com
ou=Roles,o=brms,dc=my-domain,dc=com
uid=admin,ou=People,o=brms,dc=my-domain,dc=com
uid=john,ou=People,o=brms,dc=my-domain,dc=com
uid=mary,ou=People,o=brms,dc=my-domain,dc=com
cn=admin,ou=Roles,o=brms,dc=my-domain,dc=com
cn=user,ou=Roles,o=brms,dc=my-domain,dc=com

login-config.xml

<application-policy name="brms">
 <authentication>
  <login-module code="org.jboss.security.auth.spi.LdapLoginModule" flag="required" >
         <module-option name="java.naming.factory.initial"> com.sun.jndi.ldap.LdapCtxFactory</module-option>
         <module-option name="java.naming.provider.url">ldap://localhost:389/</module-option>
         <module-option name="java.naming.security.authentication">simple</module-option>
         <module-option name="principalDNPrefix">uid=</module-option>
         <module-option name="principalDNSuffix">,ou=People,o=brms,dc=my-domain,dc=com</module-option>
         <module-option name="rolesCtxDN">ou=Roles,o=brms,dc=my-domain,dc=com</module-option>
         <module-option name="uidAttributeID">member</module-option>
         <module-option name="matchOnUserDN">true</module-option>
         <module-option name="roleAttributeID">cn</module-option>
         <module-option name="roleAttributeIsDN">false</module-option>
  </login-module>
 </authentication>
</application-policy>

jboss-brms.war/WEB-INF/components.xml

        <security:identity authenticate-method="#{authenticator.authenticate}" jaas-config-name="brms"/>