In some LDAP environments when they have comma in the value of bindingAttribute, the LDAPIdentityStore.getBindingDN doesn't work correctly. This means that functionalities which relies on it (like authentication or updating of user) doesn't work.

It's caused by the fact that commas are escaped in DN but not in CN (or uid or whatever is used as bindingAttribute).

Some more info from customer:
In our AD, the distinguished name (dn) is
“CN=Doe\, John (MyCompany\, Contractor),OU=Users,OU=MyCompany,DC=company,DC=net”

But the picketlink idm-impl api code uses the CN attribute + baseDN to populate the dn attribute. And in this case it returns

“CN=Doe, John (MyCompany, Contractor),OU=Users,OU=MyCompany,DC=company,DC=net”

This value doesn’t have the “\” and hence the authentication fails.