RFR: 8275535: Retrying a failed authentication on multiple LDAP servers can lead to users blocked
Martin Balao
mbalao at openjdk.java.net
Wed Feb 9 18:53:12 UTC 2022
On Wed, 20 Oct 2021 13:35:22 GMT, Martin Balao <mbalao at openjdk.org> wrote:
> I'd like to propose a fix for JDK-8275535. This fix reverts the behavior to the state previous to JDK-8160768, where an authentication failure stops from trying other LDAP servers with the same credentials [1]. After JDK-8160768 we have 2 possible loops to stop: the one that iterates over different URLs and the one that iterates over different endpoints (after a DNS query that returns multiple values).
>
> No test regressions observed in jdk/com/sun/jndi/ldap.
>
> --
> [1] - https://hg.openjdk.java.net/jdk/jdk/rev/a609d549992a#l2.137
Unfortunately I don't have access to the environment where this problem reproduces and will be difficult/impossible for me to get a real trace from there. What I can say, though, is that the fail-fast authentication behavior previous to the changes in JDK-8160768 was working fine in such environment. Besides that, we didn't have any users reporting issues regarding authentication.
The change to revert to the previous behavior is, in my view, trivial. I can try to build a whole new environment that reproduces this problem or see if it's feasible to mock something, but before getting into that I need to understand what the concerns or motivation for that are. This would require more time than originally planned and might postpone this for a while.
Martin.-
-------------
PR: https://git.openjdk.java.net/jdk/pull/6043
More information about the core-libs-dev
mailing list