It would be the DN of the user, not the Base DN of the search scope. And yes, if someone changed their DN in this case, Citadel would consider it to be a different user and the old account would be purged.
However, I don't think that's the direction we're going to take. Indexing by UID (or in the case of Active Directory, a synthetic UID derived from the ObjectGUID) makes more sense. That's how we join the accounts today, but it uses a sequential search. If we put something like "uid:12345" in the extauth table, it will eliminate the sequential search without a major refactoring of the LDAP logic, and it should also be compatible with sites using system auth (which is apparently nobody, as far as I can tell; every site I've ever heard of is using either native or LDAP).
