RFR: 8275535: Retrying a failed authentication on multiple LDAP servers can lead to users blocked
Aleksei Efimov
aefimov at openjdk.java.net
Wed Feb 9 17:26:11 UTC 2022
On Wed, 20 Oct 2021 13:35:22 GMT, Martin Balao <mbalao at openjdk.org> wrote:
> I'd like to propose a fix for JDK-8275535. This fix reverts the behavior to the state previous to JDK-8160768, where an authentication failure stops from trying other LDAP servers with the same credentials [1]. After JDK-8160768 we have 2 possible loops to stop: the one that iterates over different URLs and the one that iterates over different endpoints (after a DNS query that returns multiple values).
>
> No test regressions observed in jdk/com/sun/jndi/ldap.
>
> --
> [1] - https://hg.openjdk.java.net/jdk/jdk/rev/a609d549992a#l2.137
Hi Martin,
The source changes looks good to me.
In case you have an LDAP server that can be used to reproduce this problem then maybe you could try to create a test that uses classes from LDAP test library (`LDAPServer`,`LDAPTestUtils`)?
In a nutshell, it could be done by following these steps:
- Create a regression tests which uses LDAPServer/LDAPTestUtils similar to tests available in `test/jdk/com/sun/jndi/ldap/blits/AddTests` and `test/jdk/javax/naming/module/src/test/test`
- Add `-trace` flag (see test/jdk/com/sun/jndi/ldap/lib/LDAPTestUtils.java for details) as an argument to the test app. When this argument is passed to LDAPTestUtils.initEnv (see first snippet below) '.ldap' trace file is generated by a framework. This is where the real LDAP server is required.
- Once `.ldap` trace file is collected use LDAPTestUtils.initEnv and a ServerSocket to create a test server that will replay the collected trace file (see second snippet below).
Snippet 1: How trace file can be collected:
/*
* @test
* @library /test/lib ../../lib
* @build LDAPServer LDAPTestUtils /javax/naming/module/src/test/test/
* @run main/othervm TraceExampleTest -trace
*/
public static void collectTrace(String [] args) throws Exception {
Hashtable<Object, Object> env;
// initialize test
env = LDAPTestUtils.initEnv(null, "ldap://127.0.0.1:1389",
TraceExampleTest.class.getName(), args, true);
DirContext ctx = null;
// connect to server
ctx = new InitialDirContext(env);
}
Snippet 2: How trace file can be used (note that the trace file name should match the test class name in this example) it can be used to create an instance of the LDAPServer:
/*
* @test
* @library /test/lib ../../lib
* @build LDAPServer LDAPTestUtils /javax/naming/module/src/test/test/
* @run main/othervm TraceExampleTest
*/
public static void runWithTrace(String [] args) throws Exception {
// Create unbound server socket
ServerSocket serverSocket = new ServerSocket();
// Bind it to the loopback address
SocketAddress sockAddr = new InetSocketAddress(
InetAddress.getLoopbackAddress(), 0);
serverSocket.bind(sockAddr);
// Construct the provider URL for LDAPTestUtils
String providerURL = URIBuilder.newBuilder()
.scheme("ldap")
.loopback()
.port(serverSocket.getLocalPort())
.buildUnchecked().toString();
Hashtable<Object, Object> env;
// initialize test
env = LDAPTestUtils.initEnv(serverSocket, providerURL,
TraceExampleTest.class.getName(), args, true);
DirContext ctx = null;
// connect to the test LDAP server
ctx = new InitialDirContext(env);
}
-------------
PR: https://git.openjdk.java.net/jdk/pull/6043
More information about the core-libs-dev
mailing list