The SimpleLDAPAuthenticationManager returns different Principal name formats for sasl vs non-sasl usage.
In the sasl case, the PlainSaslServer returns the basic username that was originally provided, but in the non-sasl case the SimpleLDAPAuthenticationManager returns a Principal based on the search context/filter. This leads to inconsistent behaviour between e.g. AMQP and JMX interface authentication, and in the later case means it is not possible to specify the user be included as part of an group.
The non-sasl behaviour should be updated to be consistent with the sasl behaviour.