I have set up my GateIn portal to authenticate against a LDAP by going  through the documentation and samples, and everything seems to be working properly. However, the samples and documentation are limited to having all of the portal's users in one container. This is not the case in my scenario. Our users are separated into hundreds of containers based on their office locations, so I need to be able to authenticate users by performing a subtree search. To complicate matters, the number of offices is not static, as they can be created in or removed from the directory without involving IT, which means that I cannot simple add a ctxDN for every possible office.

I modified the ctxDNs option in the picketlink-idm-ldap-config.xml from "ou=People,o=portal,o=gatein,dc=example,dc=com" to "o=portal,o=gatein,dc=example,dc=com", however I was not able to log in.

I have attached an image of my tree which outlines my structure. I would like to be able to set my ctxDNs value to "o=rlp,ou=Canada", and be able to perform a subtree search from there. This would allow me to log in as any one of the users (User1-5). Any ideas? Thanks,

Fred