The LDAPLoginModule has the ability to supply a configuration variable (role.name.attribute) to use when creating a role. This value can be changed from "cn" to any of a number LDAP attributes. However it cannot access the actual distinguished name of the queried groups while processing a login, as "dn" or "distinguishedName", "entryDN", etc., are not universally supported across LDAP implementations as an attribute.
Proposal to special case "dn" and use javax.naming.directory.SearchResult.getNameInNamespace(), which returns the dn of the found groups when converting to a role.
This is a very small change; will provide a patch.