From 93d8f19887ce9bfc406537ac8045d54bddfd39ea Mon Sep 17 00:00:00 2001
From: GitLab <gitlab@localhost>
Date: Thu, 12 Dec 2013 12:36:03 -0500
Subject: [PATCH] Added authentication of a username that is duplicate across
 multiple subdomains

---
 lib/omniauth/strategies/ldap.rb | 21 ++++++++++++++++++++-
 1 file changed, 20 insertions(+), 1 deletion(-)

diff --git a/lib/omniauth/strategies/ldap.rb b/lib/omniauth/strategies/ldap.rb
index 9a4d880..d97014a 100644
--- a/lib/omniauth/strategies/ldap.rb
+++ b/lib/omniauth/strategies/ldap.rb
@@ -35,7 +35,26 @@ def request_phase
       end
 
       def callback_phase
-        @adaptor = OmniAuth::LDAP::Adaptor.new @options
+        username_elems = @options[:name_proc].call(request['username']).split('\\')
+        options = @options.dup
+        if (username_elems.length == 2)
+          # Create a shallow copy of the options
+          options = @options.dup
+          # In our copy of the hash, we modify the base DN; we prefix a DC=subdomain string
+          # An example would be : 
+          #     for  base: DC=example,DC=com and usename emea\user1  this would become
+          #          base: DC=emea,DC=example,DC=com and we would authenticate username user1 
+          #                on the emea subdomain.
+          # This would allow for the same username across multiple subdomains,
+          # something unhealthy but which seems to occur.
+          # For example emea\user1 and us\user1 to work across a higher level domain controller.
+          options[:base] = 'DC=%s,%s' % [ username_elems[0], @options[:base] ]
+          username = username_elems[1]
+        else
+          # Fallback to the standard behavior here
+          username = request['username']
+        end
+        @adaptor = OmniAuth::LDAP::Adaptor.new options
 
         return fail!(:missing_credentials) if missing_credentials?
         begin