One-time wrong password attempt locks out user because the wrong password is sent to all configured servers
Issue
-
When configuring multiple LDAP URLs (e.g. for resilience between different company LDAP servers), a one-time wrong password attempt (e.g. typo) might lock out the user because the wrong password is sent to all the configured servers.
-
Commit d3cf8a (JDK-8160768[1]) removing the check for an AuthenticationException will result in a one-time wrong password attempt (e.g. typo) locking out the user because the wrong password is sent to all the configured servers:
private static DirContext getUsingURLs(String[] urls, Hashtable<?,?> env)
throws NamingException {
NamingException ne = null;
DirContext ctx = null;
for (int i = 0; i < urls.length; i++) {
try {
return getUsingURL(urls[i], env);
} catch (AuthenticationException e) {
throw e;
} catch (NamingException e) {
ne = e;
}
}
throw ne;
}
Environment
- OpenJDK 11.0.9
- Red Hat build of OpenJDK
- Oracle JDK
- etc.
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.