If my client certificate principal has an OU as part of its common name that matches what is configured in the login module, then bypass environment validation.
For example, if the login module has the configuration for an "all-access" OU
ou=users,dc=lightblue,dc=io
And my client certificate has this CN as the principal
uid=derek63,ou=users,dc=lightblue,dc=io
Then DO NOT look for the l (location) attribute in my certificate DN and validate it against the environment configured in the login module.
If my client certificate looks like anything else that is not configured in the login module
uid=derek63,ou=serviceusers,dc=lightblue,dc=io
Then continue with the existing environment validation (assuming its configured on the login module)
If my client certificate principal has an OU as part of its common name that matches what is configured in the login module, then bypass environment validation.
For example, if the login module has the configuration for an "all-access" OU ou=users,dc=lightblue,dc=io
And my client certificate has this CN as the principal uid=derek63,ou=users,dc=lightblue,dc=io
Then DO NOT look for the l (location) attribute in my certificate DN and validate it against the environment configured in the login module.
If my client certificate looks like anything else that is not configured in the login module uid=derek63,ou=serviceusers,dc=lightblue,dc=io
Then continue with the existing environment validation (assuming its configured on the login module)