On Tue, 8 Feb 2022 13:41:28 GMT, Martin Balao <mba...@openjdk.org> wrote:

>>> @martinuy This pull request has been inactive for more than 4 weeks and 
>>> will be automatically closed if another 4 weeks passes without any 
>>> activity. To avoid this, simply add a new comment to the pull request. Feel 
>>> free to ask for assistance if you need help with progressing this pull 
>>> request towards integration!
>> 
>> Please do not close, waiting for CSR approval.
>
>> @martinuy Also your Compatibility Risk talks about KDCs, but this is about 
>> directory servers. Not sure how this relates here.
> 
> Correct, it was an unconscious mistake :) I will try to get this fixed (as 
> the CSR was approved, I'll ask before editing directly).

> @martinuy, I am the reporter of JDK-8160768. Regarding this PR, isn't 
> everything protocol related a fail-fast issue? E.g., if the socket is up and 
> running, but the LDAP message is rejected can we assume that all subsequent 
> servers for the same resolution will reject the request as well before 
> authentication has happened?

It looks to me that it's not only a fail-fast issue because the state on the 
directory side might be altered by each try, as it happened in the reported 
case. In other words, the client might cause a denial-of-service blocking an 
account by trying multiple times the same incorrect authentication credentials 
on each resolved server.

In regards to the 2nd question, I guess that we cannot assume that. But the 
revert is intended for failed authentication only.

Is there a risk that you foresee by reverting the failed-authentication 
behavior back to pre-JDK-8160768?

-------------

PR: https://git.openjdk.java.net/jdk/pull/6043

Reply via email to