The current implementation of the LdapClaimsHandler only allows to define a single DN for your user search base. In cases when users are spread in multiple OUs which do not share a common OU, it is not possible to collect claims for all the users.
Setting the "userBaseDN" to "OU=Internal-User,DC=MY,DC=DOMAIN,DC=COM" would cause that claims for Bob could not be resolved.
My proposal is to add another property "userBaseDNs" to the LdapClaimsHandler containing a List<String> of userBaseDN. If the user could not be found within the scope of userBaseDN then all userBaseDNs contained in the Collection will be searched until the user claims could be retrieved.