Isn't the wrapper log includes oxauth.log, too?
It seems this is the cause of the issue:
From the wrapper.log:
> INFO | jvm 1 | 2015/08/20 12:10:15 | 2015-08-20 12:10:15,175 INFO [org.gluu.oxtrust.action.Authenticator] user uid:gluuadmin
> INFO | jvm 1 | 2015/08/20 12:10:15 | 2015-08-20 12:10:15,244 INFO [org.gluu.oxtrust.action.Authenticator] Authenticating user 'gluuadmin'
> INFO | jvm 1 | 2015/08/20 12:10:15 | 2015-08-20 12:10:15,244 DEBUG [org.gluu.oxtrust.ldap.service.AppInitializer] Created site LdapAuthEntryManager: org.gluu.site.ldap.persistence.LdapEntryManager@3b0758cd
> INFO | jvm 1 | 2015/08/20 12:10:15 | 2015-08-20 12:10:15,273 ERROR [org.gluu.oxtrust.action.Authenticator] Failed to find user 'gluuadmin' in ldap
> INFO | jvm 1 | 2015/08/20 12:10:15 | org.gluu.site.ldap.persistence.exception.EntryPersistenceException: Failed to find entries with baseDN: ou=people,o=@!B46D.09B7.AAB2.C330!0001!38B8.ED01,o=gluu, filter: (&(&(objectClass=top)(objectClass=gluuPerson))(&(uid=gluuadmin)))
Now from a wireshark capture that was conducted at the same moment (note a timestamps on both):
10 1.297917000 192.168.238.102 192.168.238.10 LDAP 220 searchRequest(3) "ou=people,o=@!B46D.09B7.AAB2.C330!0001!38B8.ED01,o=gluu" wholeSubtree
Frame 10: 220 bytes on wire (1760 bits), 220 bytes captured (1760 bits) on interface 0
Interface id: 0
Encapsulation type: Ethernet (1)
Arrival Time: Aug 20, 2015 15:10:15.246556000 MSK
...(omitted for brevity)...
Transmission Control Protocol, Src Port: 60086 (60086), Dst Port: ldap (389), Seq: 1, Ack: 1, Len: 154
Lightweight Directory Access Protocol
LDAPMessage searchRequest(3) "ou=people,o=@!B46D.09B7.AAB2.C330!0001!38B8.ED01,o=gluu" wholeSubtree
messageID: 3
protocolOp: searchRequest (3)
searchRequest
baseObject: ou=people,o=@!B46D.09B7.AAB2.C330!0001!38B8.ED01,o=gluu
scope: wholeSubtree (2)
derefAliases: neverDerefAliases (0)
sizeLimit: 0
timeLimit: 0
typesOnly: False
Filter: (&(&(objectClass=top)(objectClass=gluuPerson))(uid=gluuadmin))
attributes: 0 items
192.168.238.10 is my AD backend. So what happens here is it tries to search my backend as it would have been its own internal LDAP db. But the most peculiar part is that actual authentication already happened at the very beginning of the session - there already was a correct sequence of "LDAP request for subtree -> LDAP request for user object -> LDAP bind request with user's creds" and it was successful. So later on a second (and invalid) authentication attempt occurs, and it fails this time.
I don't know wheter or not this double authentication is a normal workflow, though. Do you know it, Zico?