should I not be able to specify multiple group DN's for the base when my active directory authenticator looks up the groups for a user as a step of authorizing?

the process should be
user is authenticated (this works)
users groups are retrieved (this fails)
users roles are mapped based on the group (this fails because no group is found)

The reason is the configured Active Directory Authenticator has a starting point to look for a users groups that is a different branch of the active directory tree than where our application groups are kept

We cannot change the start point of the search because then the user that starts the WL server doesn't find its groups, doesn't get its privs and the process shutsdown (tried this), also moving the group search base dn to the root of the tree does not work for performance reasons

We cannot move the application groups to a spot in the tree where they will be found because this is an administrative branch and the application groups do not belong there

We cannot move groups for the user that starts weblogic around because this is an important admin acct that runs production servers as well

would it not make sense that I could specify multiple start dn's for the group search?

And if not and I have to set up another authenticator, how do I get it to authenticate the user with the rules (nase dn's) in 1 authenticator but authorise the user with the rules (base dn's) in a second authenticator???