In Ldap Realm roles are searched before actual user password is validated. Ldap Realm uses following flow:
- searching for username
- searching for roles (i.e. searching for attributes)
- validating password for username
It means even if wrong password is used then roles in LDAP are searched. Password should be validated before some roles are searched. Current behavior can result to performance issues.