-
Bug
-
Resolution: Fixed
-
P3
-
8u40, 9
-
b120
-
generic
-
windows_8
-
Verified
| Issue | Fix Version | Assignee | Priority | Status | Resolution | Resolved In Build |
|---|---|---|---|---|---|---|
| JDK-8183762 | 8u161 | Ivan Gerasimov | P3 | Resolved | Fixed | b01 |
| JDK-8168485 | 8u152 | Ivan Gerasimov | P3 | Resolved | Fixed | b01 |
| JDK-8192502 | emb-8u161 | Ivan Gerasimov | P3 | Resolved | Fixed | b01 |
FULL PRODUCT VERSION :
java version "1.8.0_40"
Java SE build 1.8.0_40_b26
Java HotSpot 64-Bit Server VM build 25.40-b25, mixed mode
ADDITIONAL OS VERSION INFORMATION :
Windows 8.1
A DESCRIPTION OF THE PROBLEM :
When using the automatic discovery of LDAP servers using urls of type :
ldaps:///dc=mydomain,dc=com
and additionnaly using the kerberos authentication mechanism (Context.SECURITY_AUTHENTICATION is "GSSAPI")
the connection fails because the requested kerberos service ticket is made with an invalid principal name containing a dot "." at the end of the hostname part, for example :
ldap/myserver.mydomain.com.@MYDOMAIN.COM
The problem comes from the use of DNS SRV records which returned FQDNs hostnames end with a dot ".", for example :
my-server.mydomain.com.
While this dot doesn't matter for simple connection (names ending with dots are resolved to IP adresses by DNS), it matters for a kerberos principal name.
Fix hint : the class com.sun.jndi.ldap.ServiceLocator shall be fixed to remove the trailing dot of hostnames obtained from DNS SRV records.
REPRODUCIBILITY :
This bug can be reproduced always.
java version "1.8.0_40"
Java SE build 1.8.0_40_b26
Java HotSpot 64-Bit Server VM build 25.40-b25, mixed mode
ADDITIONAL OS VERSION INFORMATION :
Windows 8.1
A DESCRIPTION OF THE PROBLEM :
When using the automatic discovery of LDAP servers using urls of type :
ldaps:///dc=mydomain,dc=com
and additionnaly using the kerberos authentication mechanism (Context.SECURITY_AUTHENTICATION is "GSSAPI")
the connection fails because the requested kerberos service ticket is made with an invalid principal name containing a dot "." at the end of the hostname part, for example :
ldap/myserver.mydomain.com.@MYDOMAIN.COM
The problem comes from the use of DNS SRV records which returned FQDNs hostnames end with a dot ".", for example :
my-server.mydomain.com.
While this dot doesn't matter for simple connection (names ending with dots are resolved to IP adresses by DNS), it matters for a kerberos principal name.
Fix hint : the class com.sun.jndi.ldap.ServiceLocator shall be fixed to remove the trailing dot of hostnames obtained from DNS SRV records.
REPRODUCIBILITY :
This bug can be reproduced always.
- backported by
-
JDK-8168485 automatic discovery of LDAP servers with Kerberos authentication
-
- Resolved
-
-
-
- Resolved
-
-
-
- Resolved
-
- duplicates
-
-
- Closed
-
- relates to
-
-
- Open
-