From 7b9c6561ea8f03ba379f9792358facf0cb90df5f Mon Sep 17 00:00:00 2001
From: Javi Fontan <jfontan@opennebula.org>
Date: Mon, 18 Feb 2013 17:52:17 +0100
Subject: [PATCH] feature #1741: test every dn in x509 authentication

This patch was provided by Boris Parak <256254@mail.muni.cz> in
http://dev.opennebula.org/issues/1741

Minor cosmetic changes
---
 src/cloud/common/CloudAuth.rb | 16 ++++++++++++++--
 1 file changed, 14 insertions(+), 2 deletions(-)

diff --git a/src/cloud/common/CloudAuth.rb b/src/cloud/common/CloudAuth.rb
index 89bca96587..fdec369d75 100644
--- a/src/cloud/common/CloudAuth.rb
+++ b/src/cloud/common/CloudAuth.rb
@@ -134,9 +134,21 @@ class CloudAuth
     # password:: _String_ the password
     # [return] _Hash_ with the username
     def get_username(password)
-        xpath = "USER[contains(PASSWORD, \"#{password}\")]/NAME"
+        xpath = "USER[PASSWORD=\"#{password}\"]/NAME"
+        username = retrieve_from_userpool(xpath)
 
-        retrieve_from_userpool(xpath)
+        # No exact match, trying to match password with each
+        # of the pipe-separated DNs stored in USER/PASSWORD
+        if username.nil?
+            @lock.synchronize do
+                @user_pool.each do |user|
+                    return user["NAME"] if user["AUTH_DRIVER"] == "x509" &&
+                        user["PASSWORD"].split('|').include?(password)
+                end
+            end
+        end
+
+        username
     end
 
     private