On Tue, 8 Feb 2022 13:41:28 GMT, Martin Balao <mba...@openjdk.org> wrote:
>>> @martinuy This pull request has been inactive for more than 4 weeks and >>> will be automatically closed if another 4 weeks passes without any >>> activity. To avoid this, simply add a new comment to the pull request. Feel >>> free to ask for assistance if you need help with progressing this pull >>> request towards integration! >> >> Please do not close, waiting for CSR approval. > >> @martinuy Also your Compatibility Risk talks about KDCs, but this is about >> directory servers. Not sure how this relates here. > > Correct, it was an unconscious mistake :) I will try to get this fixed (as > the CSR was approved, I'll ask before editing directly). > @martinuy, I am the reporter of JDK-8160768. Regarding this PR, isn't > everything protocol related a fail-fast issue? E.g., if the socket is up and > running, but the LDAP message is rejected can we assume that all subsequent > servers for the same resolution will reject the request as well before > authentication has happened? It looks to me that it's not only a fail-fast issue because the state on the directory side might be altered by each try, as it happened in the reported case. In other words, the client might cause a denial-of-service blocking an account by trying multiple times the same incorrect authentication credentials on each resolved server. In regards to the 2nd question, I guess that we cannot assume that. But the revert is intended for failed authentication only. Is there a risk that you foresee by reverting the failed-authentication behavior back to pre-JDK-8160768? ------------- PR: https://git.openjdk.java.net/jdk/pull/6043