Default distinguishedNameAttribute value of LdapExtLoginModule causes not working referrals on MS Active Directory ------------------------------------------------------------------------------------------------------------------ Key: SECURITY-975 URL: https://issues.jboss.org/browse/SECURITY-975 Project: PicketBox Issue Type: Bug Components: PicketBox Affects Versions: PicketBox_5_0_2.Final Reporter: Jiri Ondrusek Assignee: Jiri Ondrusek Fix For: PicketBox_5_0_3.Beta1 In case when crossRef object to different domain is configured on MS Active Directory for handling referrals and JBoss EAP 7 uses LdapExtLoginModule then default value ('distinguishedName') of distinguishedNameAttribute option causes wrong handling of referrals which leads to authentication fail for referral users. Referral object is returned by original LDAP server (LDAP server which includes crossRef to different domain) but user is obtained through value of distinguishedName attribute from that response. It leads to authentication attempt with referral user against original LDAP server instead of referenced LDAP server which results to failed authentication.