I have been fighting an issue for awhile where I cannot get our application to work with a secondary user store (AD) without specifying the domain name. AD user/role enumeration is working fine, and I am able to login to the WSO2 admin console with an AD account (username only!) granted admin rights via an AD group, so if that works, then I would think the entitlement service would too...
I have determined the reason for this is that while I can login to the application (and WSO2 admin console) with the AD username only, the role assignment is not being picked up by the application unless I specify the domain with the account (domain/user), as confirmed by using the PEP/search tool. If I use the domain/user in PEP search, I can see the entitlements.. if I use the username only, I don't. My XACML is defined to use domain/group for the role. It's worth noting that if I use an internal role with an internal user and applicable XACML policy, the application works perfect.
This looks to be the same bug as for 4.2.0 (https://wso2.org/jira/browse/CARBON-14861) but I cannot find anything similar for 4.5.0. Does anyone know of a way around this other than making my LDAP user store primary?
TIA!
