Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8276959

Retrying a failed authentication on multiple LDAP servers can lead to users blocked

    XMLWordPrintable

    Details

    • Subcomponent:
    • Compatibility Kind:
      behavioral
    • Compatibility Risk:
      minimal
    • Compatibility Risk Description:
      Hide
      The risk is minimal because we are reverting the behavior to the state previous to JDK-8160768, which was well tested. Note that if the first KDC rejects the authentication for an illegitimate reason (i.e. outdated or unsynchronized credentials), a second KDC won't be tried. The assumption for this scheme to work is that all KDCs are properly configured in order to always accept valid authentication.
      Show
      The risk is minimal because we are reverting the behavior to the state previous to JDK-8160768 , which was well tested. Note that if the first KDC rejects the authentication for an illegitimate reason (i.e. outdated or unsynchronized credentials), a second KDC won't be tried. The assumption for this scheme to work is that all KDCs are properly configured in order to always accept valid authentication.
    • Interface Kind:
      Other
    • Scope:
      Implementation

      Description

      Summary

      When the authentication to an LDAP endpoint fails, do not retry authentication against other endpoints. Restore this behavior from the state previous to JDK-8160768.

      Problem

      If the authentication to an LDAP endpoint fails because of providing wrong credentials (i.e.: a typo while entering the password), the OpenJDK client may automatically try on other endpoints without any different result expected. In addition to the resources spent, this situation can lead to the LDAP user blocked after exceeding the maximum number of authentication attempts.

      Solution

      After getting an authentication failure on an LDAP endpoint, stop any further authentication attempts on other endpoints. The rationale behind is that the LDAP endpoint that responded with the authentication failure is alive and there is no need to keep trying.

      Specification

      From a specification point of view, there is no need to modify any public or internal APIs to implement this behavioral change because the methods com.sun.jndi.ldap.LdapCtxFactory::getUsingURL and com.sun.jndi.ldap.LdapCtxFactory::getUsingURLs already declare to throw a javax.naming.NamingException exception, and javax.naming.AuthenticationException is a subclass of it. The only difference is the change of behavior while iterating the URLs.

      PR: https://github.com/openjdk/jdk/pull/6043

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              mbalao Martin Balao
              Reporter:
              mbalao Martin Balao
              Reviewed By:
              Aleksej Efimov, Daniel Fuchs
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: