X509 certificate with multiple OU fields?

Hello list,

I've issued certificates including multiple OU fields, for example:

OU1=IT Security HQ
OU2=HQ Amsterdam
OU3=Administrator

I want to restrict access to a certain part of the website based on the
OU1 field. I've used the following configuration in httpd.conf:

<LocationMatch ^/(directory1)>
SSLRequire ( %{SSL_CLIENT_S_DN_OU} eq "IT Security HQ" )
</LocationMatch>

Using this configuration a "You are not authorized to view this page!"
is shown. However when the following configuration is used, access is
granted:

<LocationMatch ^/(directory1)>
SSLRequire ( %{SSL_CLIENT_S_DN_OU} eq "Administrator" )
</LocationMatch>

Some research pointed out that only the last OU (OU3) from the DN is
used to verify within SSLRequire! I've tested this behavior with
mod_ssl versions 2.8.16, 2.8.4 and 2.8.22. Is this a bug?

Is there a workaround to match against a single OU when multiple OU's
are available, independent of the OU order?

Thanks in advance,

David