RFR: 8275535: Retrying a failed authentication on multiple LDAP servers can lead to users blocked

[Martin Balao]

On Tue, 8 Feb 2022 13:41:28 GMT, Martin Balao <mbalao at openjdk.org> wrote:

>>> @martinuy This pull request has been inactive for more than 4 weeks and will be automatically closed if another 4 weeks passes without any activity. To avoid this, simply add a new comment to the pull request. Feel free to ask for assistance if you need help with progressing this pull request towards integration!
>> 
>> Please do not close, waiting for CSR approval.
>
>> @martinuy Also your Compatibility Risk talks about KDCs, but this is about directory servers. Not sure how this relates here.
> 
> Correct, it was an unconscious mistake :) I will try to get this fixed (as the CSR was approved, I'll ask before editing directly).

> @martinuy, I am the reporter of JDK-8160768. Regarding this PR, isn't everything protocol related a fail-fast issue? E.g., if the socket is up and running, but the LDAP message is rejected can we assume that all subsequent servers for the same resolution will reject the request as well before authentication has happened?

It looks to me that it's not only a fail-fast issue because the state on the directory side might be altered by each try, as it happened in the reported case. In other words, the client might cause a denial-of-service blocking an account by trying multiple times the same incorrect authentication credentials on each resolved server.

In regards to the 2nd question, I guess that we cannot assume that. But the revert is intended for failed authentication only.

Is there a risk that you foresee by reverting the failed-authentication behavior back to pre-JDK-8160768?

-------------

PR: https://git.openjdk.java.net/jdk/pull/6043