stackabletech
diff --git a/‎Cargo.lock‎
Lines changed: 17 additions & 0 deletions b/‎Cargo.lock‎
Lines changed: 17 additions & 0 deletions
diff --git a/‎Cargo.nix‎
Lines changed: 45 additions & 0 deletions b/‎Cargo.nix‎
Lines changed: 45 additions & 0 deletions
diff --git a/‎rust/operator-binary/src/controller.rs‎
Lines changed: 1 addition & 20 deletions b/‎rust/operator-binary/src/controller.rs‎
Lines changed: 1 addition & 20 deletions
diff --git a/‎rust/user-info-fetcher/Cargo.toml‎
Lines changed: 1 addition & 0 deletions b/‎rust/user-info-fetcher/Cargo.toml‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎rust/user-info-fetcher/src/backend/active_directory.rs‎
Lines changed: 22 additions & 6 deletions b/‎rust/user-info-fetcher/src/backend/active_directory.rs‎
Lines changed: 22 additions & 6 deletions
@@ -936,14 +936,7 @@ fn build_server_rolegroup_daemonset(
         cb_user_info_fetcher
             .image_from_product_image(resolved_product_image) // inherit the pull policy and pull secrets, and then...
             .image(user_info_fetcher_image) // ...override the image
-            .command(vec![
-                "/bin/bash".to_string(),
-                "-x".to_string(),
-                "-euo".to_string(),
-                "pipefail".to_string(),
-                "-c".to_string(),
-            ])
-            .args(vec![build_user_info_fetcher_start_command()])
+            .command(vec!["stackable-opa-user-info-fetcher".to_string()])
             .add_env_var("CONFIG", format!("{CONFIG_DIR}/user-info-fetcher.json"))
             .add_env_var("CREDENTIALS_DIR", USER_INFO_FETCHER_CREDENTIALS_DIR)
             .add_volume_mount(CONFIG_VOLUME_NAME, CONFIG_DIR)
@@ -1347,15 +1340,3 @@ pub fn build_recommended_labels<'a, T>(
         role_group,
     }
 }
-
-/// Builds the command to start the user info fetcher.
-/// When using the Active Directory backend, the KERBEROS_REALM is derived from the krb5.conf file.
-/// This is later used for the LDAP user search filter.
-fn build_user_info_fetcher_start_command() -> String {
-    formatdoc! {"
-        if [ -f {USER_INFO_FETCHER_KERBEROS_DIR}/krb5.conf ]; then
-            export KERBEROS_REALM=$(grep -oP 'default_realm = \\K.*' {USER_INFO_FETCHER_KERBEROS_DIR}/krb5.conf)
-        fi
-        /sbin/stackable-opa-user-info-fetcher
-    "}
-}
@@ -11,6 +11,7 @@ publish = false
 [dependencies]
 stackable-opa-operator = { path = "../operator-binary" }
 stackable-operator.workspace = true
+krb5 = { path = "../../../krb5-rs/rust/krb5"}
 
 axum.workspace = true
 base64.workspace = true
 
@@ -1,6 +1,5 @@
 use std::{
     collections::{BTreeMap, HashMap},
-    env,
     fmt::{Display, Write},
     io::{Cursor, Read},
     num::ParseIntError,
@@ -9,6 +8,7 @@ use std::{
 
 use byteorder::{BigEndian, LittleEndian, ReadBytesExt};
 use hyper::StatusCode;
+use krb5::KrbContext;
 use ldap3::{Ldap, LdapConnAsync, LdapConnSettings, LdapError, Scope, SearchEntry, ldap_escape};
 use snafu::{OptionExt, ResultExt, Snafu};
 use stackable_operator::commons::tls_verification::TlsClientDetails;
@@ -60,8 +60,14 @@ pub enum Error {
         user_dn: String,
     },
 
-    #[snafu(display("environment variable KERBEROS_REALM is not set"))]
-    KerberosRealmEnvVar { source: env::VarError },
+    #[snafu(display("failed to create Kerberos context"))]
+    KerberosContext { source: krb5::Error },
+
+    #[snafu(display("failed to get Kerberos realm"))]
+    KerberosRealm { source: krb5::Error },
+
+    #[snafu(display("failed to get Kerberos realm name"))]
+    KerberosRealmName { source: std::str::Utf8Error },
 }
 
 impl http_error::Error for Error {
@@ -79,7 +85,9 @@ impl http_error::Error for Error {
             Error::InvalidPrimaryGroupRelativeId { .. } => StatusCode::INTERNAL_SERVER_ERROR,
             Error::UserSidHasNoSubauthorities { .. } => StatusCode::INTERNAL_SERVER_ERROR,
             Error::ParseUserSid { .. } => StatusCode::INTERNAL_SERVER_ERROR,
-            Error::KerberosRealmEnvVar { .. } => StatusCode::INTERNAL_SERVER_ERROR,
+            Error::KerberosContext { .. } => StatusCode::INTERNAL_SERVER_ERROR,
+            Error::KerberosRealm { .. } => StatusCode::INTERNAL_SERVER_ERROR,
+            Error::KerberosRealmName { .. } => StatusCode::INTERNAL_SERVER_ERROR,
         }
     }
 }
@@ -185,16 +193,24 @@ pub(crate) async fn get_user_info(
 
 /// Constructs a user filter that searches both the UPN as well as the sAMAccountName attributes.
 /// It also searches for `username@realm` in addition to just `username`.
-/// The realm is expected to be set in the `KERBEROS_REALM` environment variable.
 /// See this issue for details: <https://github.com/stackabletech/opa-operator/issues/702>
 fn user_name_filter(username: &str) -> Result<String, Error> {
     let escaped_username = ldap_escape(username);
-    let realm = ldap_escape(env::var("KERBEROS_REALM").context(KerberosRealmEnvVarSnafu)?);
+    let realm = ldap_escape(default_realm_name()?);
     Ok(format!(
         "|({LDAP_FIELD_USER_NAME}={escaped_username}@{realm})({LDAP_FIELD_USER_NAME}={escaped_username})({LDAP_FIELD_SAM_ACCOUNT_NAME}={escaped_username})"
     ))
 }
 
+fn default_realm_name() -> Result<String, Error> {
+    let krb_context = KrbContext::new().context(KerberosContextSnafu)?;
+    let krb_realm = krb_context.default_realm().context(KerberosRealmSnafu)?;
+    Ok(krb_realm
+        .to_str()
+        .context(KerberosRealmNameSnafu)?
+        .to_string())
+}
+
 #[tracing::instrument(
     skip(
         ldap,