I am learning OpenSSO/AM on the job, so please forgive my ignorance.
We have a product that uses OpenSSO for both authentication and authorization by connecting to a local LDAP (OpenLDAP) database. We are able to configure this product to use an external LDAP database for authentication instead if desired.
What we are trying to do is also perform authorization using an external LDAP database. When authorizing a user, we'd like to be able to check both the local LDAP database and the external LDAP database for the user's permissions. A user may be configured in either the local or external (or both) databases. We were thinking that in the case of a conflict (e.g. user exists in both databases with different groups), then the superset of groups would be used, but this isn't a necessity if it is not feasible.
Does OpenSSO/AM have such a capability? If so, is there any documentation on how to configure it?