Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8149521

automatic discovery of LDAP servers with Kerberos authentication

    Details

    • Subcomponent:
    • Resolved In Build:
      b120
    • CPU:
      generic
    • OS:
      windows_8
    • Verification:
      Verified

      Backports

        Description

        FULL PRODUCT VERSION :
        java version "1.8.0_40"
        Java SE build 1.8.0_40_b26
        Java HotSpot 64-Bit Server VM build 25.40-b25, mixed mode

        ADDITIONAL OS VERSION INFORMATION :
        Windows 8.1

        A DESCRIPTION OF THE PROBLEM :
        When using the automatic discovery of LDAP servers using urls of type :
        ldaps:///dc=mydomain,dc=com
        and additionnaly using the kerberos authentication mechanism (Context.SECURITY_AUTHENTICATION is "GSSAPI")
        the connection fails because the requested kerberos service ticket is made with an invalid principal name containing a dot "." at the end of the hostname part, for example :
        ldap/myserver.mydomain.com.@MYDOMAIN.COM

        The problem comes from the use of DNS SRV records which returned FQDNs hostnames end with a dot ".", for example :
        my-server.mydomain.com.
        While this dot doesn't matter for simple connection (names ending with dots are resolved to IP adresses by DNS), it matters for a kerberos principal name.

        Fix hint : the class com.sun.jndi.ldap.ServiceLocator shall be fixed to remove the trailing dot of hostnames obtained from DNS SRV records.



        REPRODUCIBILITY :
        This bug can be reproduced always.

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  weijun Weijun Wang
                  Reporter:
                  webbuggrp Webbug Group
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  6 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: