A common use of an identity map with an identity search is when you employ a directory with two trees. In this scenario, each tree defines only a subset of all users, but either tree can authenticate any user. Suppose that:
You have two trees in your directory:
- Tree A, named dc=div,dc=corp,dc=com and is in Windows domain DIV.
- Tree B, named dc=newyork,dc=corp,dc=com and is in Windows domain NEWYORK.
You want to allow any of several username formats in logons:
- UPN, for example, email@example.com
- The user DN, for example, cn=cc444555,ou=users,dc=newyork,dc=corp,dc=com
You also want to allow users to logon without the domain name, so that the directory can authenticate the following usernames, which require the directory to use the DIV tree: