"Wrong Email or Password" When AD/LDAP Connection and Database Connection Enabled for Same Application

Problem Statement

We have an application with both an AD/LDAP enterprise connection and the Username-Password-Authentication database connection enabled for it. When trying to log in through the application with a user that exists in our LDAP we get “Wrong email or password”.

Cause

When enabling an AD/LDAP connection for an application, it will behave like a database connection and when another database connection is also enabled for that application the login will default to only one connection. In this scenario, the database connection was older so that was chosen by default on the Universal Login Page and credentials meant for the AD/LDAP connection would fail with “Wrong username or password” errors.

The same issue can occur with multiple AD/LDAP connections enabled.

Solution

The solution is to specify the intended connection by including a “connection” parameter in the /authorize request.

Alternatively, the AD/LDAP connections can be configured for home realm discovery, so the user’s email address domain can be used to direct the user to the right connection automatically.