I'm not sure I'm clear on your use of the terms "high" and "low." I don't think this is a search scope problem since the default for BindLdapAuthenticationHandler is subtree scope. Maybe you could sketch out your AD schema and give some specific examples of what users can and cannot authenticate.
M -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
