One-time wrong password attempt locks out user because the wrong password is sent to all configured servers

Solution In Progress - Updated -

Issue

  • When configuring multiple LDAP URLs (e.g. for resilience between different company LDAP servers), a one-time wrong password attempt (e.g. typo) might lock out the user because the wrong password is sent to all the configured servers.

  • Commit d3cf8a (JDK-8160768[1]) removing the check for an AuthenticationException will result in a one-time wrong password attempt (e.g. typo) locking out the user because the wrong password is sent to all the configured servers:


private static DirContext getUsingURLs(String[] urls, Hashtable<?,?> env) throws NamingException { NamingException ne = null; DirContext ctx = null; for (int i = 0; i < urls.length; i++) { try { return getUsingURL(urls[i], env); } catch (AuthenticationException e) { throw e; } catch (NamingException e) { ne = e; } } throw ne; }

[1]https://bugs.openjdk.java.net/browse/JDK-8160768

Environment

  • OpenJDK 11.0.9
    • Red Hat build of OpenJDK
    • Oracle JDK
    • etc.

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content