What is a concrete explanation for Distinguished Name not found in ldap

[imslickrick2k]

I'm seeing conflicting info on what the correct answer to this question..

Some say NGX takes the common-name value from the Certificate subject, and searches the LDAP account unit for a matching user id

Some say if the first request fails or if branches do not match, NGX tries to map the identity to the user id attribute

what is the correct answer here, i've research smartcentre.pdf and even the ATRG (advanced technical resource guide)

the ATRG states:

The Distinguished Name (DN) is a globally unique name for an entry, and is
constructed by concatenating the sequence of DNs from the lowest level of a
hierarchical structure to the root. The root becomes the relative DN. For
example, if searching for the name John Brown, the search path would start
with John Brown's Common Name (CN).

You would then narrow the search from that point, to the organization he works for, to the country. If John Brown (CommonName) works for the ABC
Company, one possible DN might be cn=John Brown, o=ABC Company, c=US. This is read as “John Brown of ABC Company in the United States.” A different
John Brown who works at the 123 Company might have a DN as follows:
cn=John Brown, o=123 Company, c=UK
The two common names “John Brown” belong to two different organizations,
with different DNs.

Still a little unclear.. can anyone help please

thanks,

[Samildanach]

From the sybex NG book

"when a user authenticates, the enforcement module
first checks if any user objects exist in the VPN-1/FireWall-1 users database for
the username. If not, VPN-1/FireWall-1 then queries the LDAP server, looking
for a match on the username within the configured organization unit. Authentication
occurs via LDAP, and the user is either accepted or rejected."