RFR: 8275535: Retrying a failed authentication on multiple LDAP servers can lead to users blocked
Martin Balao
mbalao at openjdk.java.net
Wed Nov 10 16:25:36 UTC 2021
On Wed, 10 Nov 2021 12:58:13 GMT, Aleksei Efimov <aefimov at openjdk.org> wrote:
>> I'd like to propose a fix for JDK-8275535. This fix reverts the behavior to the state previous to JDK-8160768, where an authentication failure stops from trying other LDAP servers with the same credentials [1]. After JDK-8160768 we have 2 possible loops to stop: the one that iterates over different URLs and the one that iterates over different endpoints (after a DNS query that returns multiple values).
>>
>> No test regressions observed in jdk/com/sun/jndi/ldap.
>>
>> --
>> [1] - https://hg.openjdk.java.net/jdk/jdk/rev/a609d549992a#l2.137
>
> Hi Martin,
>
> The change looks reasonable to me.
> I would suggest having a CSR logged for this change due to the following [behavioral incompatibility](https://wiki.openjdk.java.net/display/csr/Kinds+of+Compatibility):
> Before the change - all available endpoints/URLs are tried to create an LDAP context.
> With the proposed change - incorrect credentials will prevent other endpoints to be exercised to create an LDAP context.
>
> Having a CSR will also help to document difference in handling `AuthenticationException` and `NamingException` during construction of an LDAP context from the list of endpoints acquired from a LDAP DNS provider.
Hi @AlekseiEfimov ,
Thanks for your feedback. I'll open a CSR as suggested and wait for approval before integrating this fix. With that said, I could not find information in the CSR associated to JDK-8160768 (JDK-8192975) about this behavioral change. My intention here is to restore the previous JDK behavior; and not to introduce a new behavior or revert a previously-approved one.
Martin.-
-------------
PR: https://git.openjdk.java.net/jdk/pull/6043
More information about the core-libs-dev
mailing list