Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8276959

Retrying a failed authentication on multiple LDAP servers can lead to users blocked

XMLWordPrintable

    • behavioral
    • minimal
    • Hide
      The risk is minimal because we are reverting the behavior to the state previous to JDK-8160768, which was well tested. Note that if the first directory server rejects the authentication for an illegitimate reason (i.e. outdated or unsynchronized credentials), a second directory server won't be tried. The assumption for this scheme to work is that all directory servers are properly configured in order to always accept valid authentication.
      Show
      The risk is minimal because we are reverting the behavior to the state previous to JDK-8160768 , which was well tested. Note that if the first directory server rejects the authentication for an illegitimate reason (i.e. outdated or unsynchronized credentials), a second directory server won't be tried. The assumption for this scheme to work is that all directory servers are properly configured in order to always accept valid authentication.
    • Other
    • Implementation

      Summary

      When the authentication to an LDAP endpoint fails, do not retry authentication against other endpoints. Restore this behavior from the state previous to JDK-8160768.

      Problem

      If the authentication to an LDAP endpoint fails because of providing wrong credentials (i.e.: a typo while entering the password), the OpenJDK client may automatically try on other endpoints without any different result expected. In addition to the resources spent, this situation can lead to the LDAP user blocked after exceeding the maximum number of authentication attempts.

      Solution

      After getting an authentication failure on an LDAP endpoint, stop any further authentication attempts on other endpoints. The rationale behind is that the LDAP endpoint that responded with the authentication failure is alive and there is no need to keep trying.

      Specification

      From a specification point of view, there is no need to modify any public or internal APIs to implement this behavioral change because the methods com.sun.jndi.ldap.LdapCtxFactory::getUsingURL and com.sun.jndi.ldap.LdapCtxFactory::getUsingURLs already declare to throw a javax.naming.NamingException exception, and javax.naming.AuthenticationException is a subclass of it. The only difference is the change of behavior while iterating the URLs.

      PR: https://github.com/openjdk/jdk/pull/6043

            mbalao Martin Balao Alonso
            mbalao Martin Balao Alonso
            Aleksej Efimov, Daniel Fuchs
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

              Created:
              Updated:
              Resolved: