I made a post with some instructions a few months back that demonstrated the configuration solution I deployed (here:
http://3parug.com/viewtopic.php?f=17&t=38, 9th post down).
I doubt there's an LDAP pagination issue with 3PAR's client—we have several thousand users divided across several child OUs contained within one larger parent OU, and we have never had an issue authenticating any particular user.
I'm not exactly sure what LDAP topology you are describing—is it that there are two separate User OUs located in
diverse areas of your LDAP tree, and the root of the tree ("dc=xyz,dc=net") is the only common point? If you can perform an LDAP search using command-line utilities on a Mac or Linux host, that should most closely replicate the search that 3PAR is using. For example:
Code:
$ ldapsearch -LLL -x -h adserver.xyz.net -b 'dc=xyz,dc=net' '(&(objectClass=user)(sAMAccountName=yourusername))' dn memberOf
Outside of posting the output of
sanitized 'showauthparam' and 'checkpassword' output, you will likely need to describe your particular topology in better detail.