Is it possible to have RoR to use a UPN formatted username to validate if a LDAP connection is a valid possibility?
Take for instance you have two LDAP connections, one to foo.com and the other to bar.com. Since ACL are sequential and foo.com is before the bar.com ACL, all logins will attempt foo.com and fail and then attempt bar.com and succeed. Instead can a user specify me@bar.com in the login and RoR uses that as a pre-check in the ACL block to bypass the ACL with foo.com as the LDAP auth domain?
In an enterprise environment with multiple domains, with some domains trusting other domains (so an LDAP to foo.com could theorietically authenticate bar.com users), I think it would be easiest to add an array into the ldap section with possible UPN domain names as a pre-check.
If I log in as me@foo.com, RoR could pre-check the upn: array to see if “foo.com” exists as a pre-check. If it does then do the LDAP authentication.
If I log in as me@bar.com, the pre-check on the first ACL block fails the pre-check so LDAP for me@bar.com is not done against foo.com directory/domain.
In either case, there would need to be an option to strip the @foo.com from the username to pass only “me” as the username. “username_format:” for instance. If =upn then pass “me@foo.com” to LDAP to lookup, if =useronly then pass “me” to LDAP to lookup.