See the discussion on the Jetspeed user list starting on december 3rd, 2007 : "Users and Roles definition with LDAP".
The problem is that there is a conflict between how roles are assigned to users, and the way users are found, which belong to a specific role.
When user-role membership attributes are used (i.e. you define in an attribute on the user which roles the user has, by default this is the 'j2-role' attribute), a role is assigned to a user using the role's DN, for example 'uid=someRole,ou=Roles,o=sevenSeas'. However, to lookup the users for a role (using the user-role membership attribute), the LdapMembershipDaoImpl.searchUsersFromRoleByUser(roleUid) is used, which constructs a LDAP query which searches for the role UID value in each user's role attribute. Hence, no users are found because role attributes on the users contain role DNs instead of UIDs.
The reverse lookup, namely looking up which roles a user has works, because the method assumes there can be either a role UID or a role DN in the role attribute of a user (see method LdapMembershipDaoImpl.searchRoleMemberShipByUser() )
So basically, the LdapMembershipDaoImpl.searchUsersFromRoleByUser(roleUid) should look for role DNs as well as UIDs