Use case:
Configure empty string search base (into rolesCtxDN option of LdapExtLoginModule) to search roles in whole LDAP tree.

In case when LdapExtLoginModule has option rolesCtxDN set to empty string then it has different behavior in EAP 7.0 (PicketBox 4.9.x) and 7.1 (PicketBox 5.0.x).

EAP 7.0 uses empty string as base search for LDAP.

• In case when LDAP server is configured to support empty string search base, it works as expected, all LDAP tree is searched for roles.
• In case when LDAP server is configured to not support empty string search base, it thrown exception authentication fails. However exception is expected since it is misconfiguration for those LDAP servers.

EAP 7.1 does not search any roles for empty string. That means:

• In case when LDAP server is configured supports empty string search base it does not find any roles. However some roles could be found on that type of LDAP servers.
• In case when LDAP server is configured not support empty string search base it correctly returns no roles and authentication passes.

From my PoV, behavior from EAP 7.0 is more correct, because it works correctly for LDAP servers where empty string is legal search base. However it can be decided that current EAP 7.1 behavior is intended. In that case please create Release Notes Jira (because it is change in behavior) and close this Jira.