Hi, I've never tried 2 login modules for the same domain, but reading your post, it seems to me : if the first LoginModule is sufficient, then I would think it doesn't even look at the second:
in the JAAS API I read the following :
" The overall authentication succeeds only if all Required and Requisite LoginModules succeed. If a Sufficient LoginModule is configured and succeeds, then only the Required and Requisite LoginModules prior to that Sufficient LoginModule need to have succeeded for the overall authentication to succeed."
Order is important. So if I understand you correctly, to achieve what you want, you would simple need to reverse the order of the 2 modules in the auth.conf
The authentication works fine. The user "john" failed the first login module but succeeded in the second. You can see that in the message where principal=john.
The problem is there was no roles attached to the principal (principalRoles=) and I know that "john" has been assigned three roles in the LDAP server (tested with only LDAPLoginModule in one domain and authorization worked okay).
I think it has to do with the configuration flags of the 2 login modules......Help.