Just found out that if CN contains non-ascii chars, the authentication will fail but lw-find-user-by-name can get user info successfully. And tried every ways I could think to set locale for likewise and vmware-sts-idmd and still failed.
CN contains non-ascii chars is very common in the real world I think. This bug may prevent VCSA from gaining popularity