Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8149521

automatic discovery of LDAP servers with Kerberos authentication

    XMLWordPrintable

Details

    • b120
    • generic
    • windows_8
    • Verified

    Backports

      Description

        FULL PRODUCT VERSION :
        java version "1.8.0_40"
        Java SE build 1.8.0_40_b26
        Java HotSpot 64-Bit Server VM build 25.40-b25, mixed mode

        ADDITIONAL OS VERSION INFORMATION :
        Windows 8.1

        A DESCRIPTION OF THE PROBLEM :
        When using the automatic discovery of LDAP servers using urls of type :
        ldaps:///dc=mydomain,dc=com
        and additionnaly using the kerberos authentication mechanism (Context.SECURITY_AUTHENTICATION is "GSSAPI")
        the connection fails because the requested kerberos service ticket is made with an invalid principal name containing a dot "." at the end of the hostname part, for example :
        ldap/myserver.mydomain.com.@MYDOMAIN.COM

        The problem comes from the use of DNS SRV records which returned FQDNs hostnames end with a dot ".", for example :
        my-server.mydomain.com.
        While this dot doesn't matter for simple connection (names ending with dots are resolved to IP adresses by DNS), it matters for a kerberos principal name.

        Fix hint : the class com.sun.jndi.ldap.ServiceLocator shall be fixed to remove the trailing dot of hostnames obtained from DNS SRV records.



        REPRODUCIBILITY :
        This bug can be reproduced always.

        Attachments

          Issue Links

            Activity

              People

                weijun Weijun Wang
                webbuggrp Webbug Group
                Votes:
                0 Vote for this issue
                Watchers:
                6 Start watching this issue

                Dates

                  Created:
                  Updated:
                  Resolved: