Apache Shiro authentication against LDAP - any username/password combination gets through

Question

I'm developing a web application using Spring, Vaadin and Apache Shiro for authentication and authorization. I have two realms, since some users log in through a database, others authenticate against LDAP. JDBC realm works perfectly but somehow LDAP realm lets everybody through - no matter what username/password combination is provided.

Here is my Spring configuration:

<!-- Apache Shiro -->
<bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">
    <property name="securityManager" ref="securityManager" />
</bean>

<bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager">
    <property name="realms">
        <list>
            <ref bean="jdbcRealm" />
            <ref bean="ldapRealm" />
        </list>
    </property>
    <property name="authenticator.authenticationStrategy">
        <bean class="org.apache.shiro.authc.pam.FirstSuccessfulStrategy" />
    </property>
</bean>
<bean id="lifecycleBeanPostProcessor" class="org.apache.shiro.spring.LifecycleBeanPostProcessor" />

<bean id="ldapContextFactory" class="org.apache.shiro.realm.ldap.JndiLdapContextFactory">
    <property name="url" value="ldap://localhost:389" />        
</bean>

<bean id="jdbcRealm" class="org.apache.shiro.realm.jdbc.JdbcRealm">
    <property name="dataSource" ref="dataSource"></property>
</bean>
<bean id="ldapRealm" class="org.apache.shiro.realm.ldap.JndiLdapRealm">
    <property name="contextFactory" ref="ldapContextFactory" />
    <property name="userDnTemplate" value="uid={0},ou=people,dc=maxcrc,dc=com" />
</bean>

Logging in is rather typical:

try {

    // Obtain user reference
    Subject currentUser = SecurityUtils.getSubject();   

    // Create token using provided username and password
    UsernamePasswordToken token = new UsernamePasswordToken(userName, password);

    // Remember user
    if(rememberMe.getValue())
        token.setRememberMe(true);

    // Login
    currentUser.login(token);

    // If we are here, no exception was raised and the user was logged in, so redirect
    UI.getCurrent().getNavigator().navigateTo("main" + "/" + "main-page");

    // Fire CustomEvent
    fireEvent(new CustomEvent(ErasmusLoginForm.this));

} catch ( UnknownAccountException e ) {
    Notification.show("No such user...");
} catch ( IncorrectCredentialsException e ) {
    Notification.show("Invalid creditentials...");
} catch ( LockedAccountException e ) {
    Notification.show("Locked account...");
} catch ( AuthenticationException e ) {
    e.printStackTrace();
    Notification.show("Some other exception...");
} catch (Exception e) {
    // Password encryption exception
}

I read almost everywhere with no luck. This post (Shiro Authenticates Non-existent User in LDAP) also wasn't helpful to me - both the DN template and the URL are correct and the server (LDAP server) is running. Why does it let everybody through?

If I turn Ldap realm off, JDBC authentication works perfectly. But with both of them on, everybody gets through since I'm using FirstSuccessfulStrategy.

EDIT: Additional note: if I provide an empty password, AuthenticationException is raised. But any non-empty password works fine.

Any ideas?