In case when LdapExtLoginModule has option rolesCtxDN set to empty string then it has different behavior in EAP 7.0 (PicketBox 4.9.x) and 7.1 (PicketBox 5.0.x).

EAP 7.0 uses empty string as base search for LDAP.

• In case when LDAP server supports empty string search base (e.g. Apache DS allows it) it works as expected, all LDAP tree is searched for roles.
• In case when LDAP server does not support empty string search base (e.g. Active Directory or Red Hat Directory Server) it thrown exception authentication fails. However exception is expected since it is misconfiguration for those LDAP servers.

EAP 7.1 does not search any roles for empty string. That means:

• In case when LDAP server supports empty string search base it does not find any roles. However some roles could be found on that type of LDAP servers.
• In case when LDAP server does not support empty string search base it correctly returns no roles and authentication passes.

From my PoV, behavior from EAP 7.0 is more correct, because it works correctly for LDAP servers where empty string is legal search base. However it can be decided that current EAP 7.1 behavior is intended. In that case please create Release Notes Jira (because it is change in behavior) and close this Jira.