Mechanism to obtain passwords from external sources for login modules works only with option {EXT} - non-cached. New feature to cache passwords with command option {EXTC[:timeout]} - timeout is optional expiration in milliseconds, doesn't work. Problem is propably in LdapExtLoginModule method createLdapInitContext, that doesn't deal with commands that starts with option {EXTC[:timeout]}
Tag for picketbox: https://svn.jboss.org/repos/picketbox/tags/4.0.17.SP1/ PR for EAP 6.1.1: https://github.com/jbossas/jboss-eap/pull/248