As noticed with @mmodell when he tried to T220653. it wouldn't let him use both "20after4" and "twentyafterfour" as a username for auth over http. This is because his shell name and cn name are different.
To use auth over http, you must use a username, @mmodell username in gerrit is twentyafterfour, so when he tried using it, it was failing to find him in ldap as it was using the cn field to search.
We should find a way to allow users who have a different shell name to the cn field, to be able to auth.