If you can provide specifics (by which I mean copy-and-paste your configuration and the exact error messages) then I'm happy to help work through it and get this working, but the description you've provided isn't clear enough to be able to give you any concrete advice.

A subtree search is exactly what you want.

If you have duplicate users in the tree, then that will be a problem, as we need to know which user to authenticate. We might be able to resolve that with a filter, but I would need to see the exact details.