In an enterprise environment with multiple domains, with some domains trusting other domains (so an LDAP to foo.com could theorietically authenticate bar.com users), I think it would be easiest to add an array into the ldap section with possible UPN domain names as a pre-check.
- name: "::foo:users::"
- name: "::bar:users::"
- name: ldap1
upn: ["foo.com", "cat.com", dog.com"]
- name: ldap2
If I log in as email@example.com, RoR could pre-check the upn: array to see if “foo.com” exists as a pre-check. If it does then do the LDAP authentication.
If I log in as firstname.lastname@example.org, the pre-check on the first ACL block fails the pre-check so LDAP for email@example.com is not done against foo.com directory/domain.
In either case, there would need to be an option to strip the @foo.com from the username to pass only “me” as the username. “username_format:” for instance. If =upn then pass "firstname.lastname@example.org" to LDAP to lookup, if =useronly then pass “me” to LDAP to lookup.