kafbat · Haarolean · Dec 31, 2024 · Dec 16, 2024 · Dec 16, 2024 · Dec 16, 2024
@@ -63,24 +63,32 @@ public ReactiveAuthenticationManager authenticationManager(LdapContextSource lda
       ba.setUserSearch(userSearch);
     }
 
+    var authenticationProvider = getAuthenticationProvider(authoritiesExtractor, rbacEnabled, ba);
+
+    AuthenticationManager am = new ProviderManager(List.of(authenticationProvider));
+
+    return new ReactiveAuthenticationManagerAdapter(am);
+  }
+
+  private AbstractLdapAuthenticationProvider getAuthenticationProvider(LdapAuthoritiesPopulator authoritiesExtractor,
+                                                                       boolean rbacEnabled,
+                                                                       BindAuthenticator bindAuthenticator) {
     AbstractLdapAuthenticationProvider authenticationProvider;
+
     if (!props.isActiveDirectory()) {
       authenticationProvider = rbacEnabled
-          ? new LdapAuthenticationProvider(ba, authoritiesExtractor)
-          : new LdapAuthenticationProvider(ba);
+          ? new LdapAuthenticationProvider(bindAuthenticator, authoritiesExtractor)
+          : new LdapAuthenticationProvider(bindAuthenticator);
     } else {
       authenticationProvider = new ActiveDirectoryLdapAuthenticationProvider(props.getActiveDirectoryDomain(),
-          props.getUrls()); // TODO Issue #3741
+          props.getUrls());
       authenticationProvider.setUseAuthenticationRequestCredentials(true);
     }
 
     if (rbacEnabled) {
       authenticationProvider.setUserDetailsContextMapper(new UserDetailsMapper());
     }
-
-    AuthenticationManager am = new ProviderManager(List.of(authenticationProvider));
-
-    return new ReactiveAuthenticationManagerAdapter(am);
+    return authenticationProvider;
   }
 
   @Bean
@@ -99,6 +107,10 @@ public DefaultLdapAuthoritiesPopulator ldapAuthoritiesExtractor(ApplicationConte
                                                                   AccessControlService acs) {
     var rbacEnabled = acs != null && acs.isRbacEnabled();
 
+    if (props.isActiveDirectory()) {
+      return null;
+    }
+
     DefaultLdapAuthoritiesPopulator extractor;
 
     if (rbacEnabled) {

@@ -16,6 +16,8 @@
 @Slf4j
 public class RbacLdapAuthoritiesExtractor extends NestedLdapAuthoritiesPopulator {
 
+  private static final Set<Provider> SUPPORTED_PROVIDERS = Set.of(Provider.LDAP, Provider.LDAP_AD);
+
   private final AccessControlService acs;
 
   public RbacLdapAuthoritiesExtractor(ApplicationContext context,
@@ -36,7 +38,7 @@ protected Set<GrantedAuthority> getAdditionalRoles(DirContextOperations user, St
         .stream()
         .filter(r -> r.getSubjects()
             .stream()
-            .filter(subject -> subject.getProvider().equals(Provider.LDAP))
+            .filter(subject -> SUPPORTED_PROVIDERS.contains(subject.getProvider()))
             .filter(subject -> subject.getType().equals("group"))
             .anyMatch(subject -> ldapGroups.contains(subject.getValue()))
         )