This is a Enhancement request to allow addition of identical users from two domains to a PAM LDAP Group without requiring the two domains maintaining a trusted association. Customers have specific requirements where they do not want a compromise of one domain to affect the other domains. Currently, PAM design will not allow such an addition when Unique Identifier for a Ldap Search is not Unique (in this case UPN - user Principal name attribute is not unique). Customer requesting an enhancement to allow the same UPN in multiple domains without a trusted relationship since there cannot always be a trusted relationship between domains.
Currently. per PAM design when adding users to LDAP groups - error - Duplicate user Principal name xxxxxxxxxxx. User cannot be added is encountered. The reason that this failure to add occurs as the two LDAP domains are not in Trusted relationship