Using NAM 3.1 or 3.2 is there a way to use the fully qualified
distinguished name of a user object in eDirectory for authentication?

For example, we have a base organization (o=customers) that have
multiple OU's under that (ou=Customer1,o=customers &
ou=Customer2,o=customers). The customer OU represent customer entities
that have their own users who use their email address as the CN for the
user objects. The twist is that the same user may belong to more than
one customer entity and as such is required by business rules to be
treated as two different users with two different passwords but still
use the email address as the CN in eDirectory so I end up with,ou=users,ou=Customer1,o=customers &,ou=users,ou=Customer2,o=customers

Because customer entity OU's can be created automatically through
business processes we need to have a way to successfully authenticate
users based on their OU context but without defining a scope beyond
o=customers in the IDP. I know that NAM supports custom classes for
custom authentication methods but I'm not sure how I would be able to
authenticate with the user's DN or specify an LDAP scope to filter the
search to the users OU for that specific entity dynamically.

I understand that from an IDM perspective this is not the ideal
structure or best practices but it is what I have been given to work

Any thoughts or suggestions would be greatly appreciated.

gdrtx's Profile:
View this thread: