We may need more details, but I think you'll need your own custom auth for this.
Will the users need to specify their own child domain somehow, via a drop down for example? or can it be derived?
no I am not having any dropdowns.. its fine if the user has to mention his domain in username as "mydomain\uid". the documentation says the DN for internal AD authentication should be given as mydomain\%LDAP_USER%... when I give such DN, users from only the child domain that I mention in DN can be authenticated..other users get invalid credentials error..
if I give DN as only %LDAP_USER%, everybody get invalid credentials error.
what is the value of the LDAP authentication scheme's "Username Escaping" attribute? If the user enters "mydomain\uid", the "\" will be escaped by default. I do not recommend to simply disable escaping, that would be insecure. However, you could use a custom LDAP edit function in combination with the apex_escape.ldap_dn and apex_escape.ldap_search_filter functions.
I have not disabled escaping in ldap authentication. however am not clear on how I should write the DN string so all child domains can be authenticated. As per locations, my firm has child domains like city1.mycompany.com; city2.mycompany.com and when user is transferred to another location, he is simply moved from one child domain to another. when I give DN as city1\%LDAP_USER%, only users from city1 child domain can be authenticated with thier uid attribute and user from other child domain get invalid credentials error. how can I resolve this easiest way. I am completely new to this hence not aware of functions in apex.
can you try this for testing?
1. set "Distinguished Name (DN) String" to "%LDAP_USER%"
2. set "Username Escaping" to "No Escaping"
3. log in with "city1\username"
If it works, you can define a Username Edit function that allows one "\" but uses apex_escape.ldap_dn to make sure the parts left and right of the backslash are properly escaped.