In NGX, what happens if a Distinguished Name (DN) is NOT found in LDAP?

In NGX, what happens if a Distinguished Name (DN) is NOT found in LDAP?

A.
NGX takes the common-name value from the Certificate subject, and searches the LDAP account unit for a matching user id.

B.
NGX searches the internal database for the username.

C.
The Security Gateway uses the subject of the Certificate as the DN for the initial lookup.

D.
If the first request fails or if branches do not match, NGX tries to map the identity to the user id attribute.

E.
When users authenticate with valid Certificates, the Security Gateway tries to map the identities with users registered in the external LDAP user database.