While the LDAP module currently reads out all properties from a user's record (info.magnolia.jaas.sp.ldap.LDAPAuthenticationModule#extractAttributes), those properties are not passed on in the User instance in Magnolia. As far as I can tell, this is because of

• info.magnolia.jaas.sp.ldap.LDAPAuthenticationModule#setEntity does not copy those properties to the Entity object. There might be security concerns about passing all attributes around, so we should at least extract this operation into an overridable method.
• info.magnolia.cms.security.ExternalUser#getProperty systematically throws an UnsupportedOperationException, whereas it could at least check the properties of the current Entity object it wraps. I am not sure if there are any (historical?) reasons for this.

While this is entirely and easily fixable within the current framework, it sounds like one more reason to move away from jaas, or at least move to a LoginModule that completely delegates to Magnolia, following which we'd have a ldap-specific UserManager implementation. And/or a LDAPUser implementation.