we've found that LDAP auth matches wrong user in certain conditions.
1. we have three users in LDAP: xyz_a, xyz_ab, xyz_abc
2. user xyz_a fill the credentials on xwiki login page
3. xwiki queries LDAP for users (as it seems for all the users eligible to login)
4. three users for "xyz_a" string are found
5. xwiki tries to auth to last matched LDAP account - xyz_abc
6. Login fails