Prior to RHQ 4.0.0 and JON 2.4 if RHQ user authentication failed (using auth info in the RHQ db) then authentication would be passed to LDAP, if configured. The authentication could then pass if LDAP stored the correct password and the one in RHQ was stale.
This situation could arise if a user was defined in RHQ prior to LDAP auth being configured, or prior to the user being defined in LDAP. In this situation a user could have credentials stored in RHQ and LDAP.
In 2.4 the authentication strategy was changed for security reasons. In 2.4 if the user has credentials stored in RHQ he *must* authenticate against that password. LDAP will not be queried.
The net effect of this is that after an upgrade LDAP authentication is ignored for users with RHQ stored credentials. It will seem as if LDAP auth is broken but it is not, it is not being queried. (Note, if RHQ and LDAP have the same password stored for a user it will seem like LDAP auth is happening, but it is not.)
Unless the user knows the old password he will not be able to log in.
Bookkeeping - closing bug - fixed in recent release.