-
Notifications
You must be signed in to change notification settings - Fork 5.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
8275535: Retrying a failed authentication on multiple LDAP servers can lead to users blocked #6043
Conversation
👋 Welcome back mbalao! A progress list of the required criteria for merging this PR into |
Hi Martin, The change looks reasonable to me. Having a CSR will also help to document difference in handling |
Hi @AlekseiEfimov , Thanks for your feedback. I'll open a CSR as suggested and wait for approval before integrating this fix. With that said, I could not find information in the CSR associated to JDK-8160768 (JDK-8192975) about this behavioral change. My intention here is to restore the previous JDK behavior; and not to introduce a new behavior or revert a previously-approved one. Martin.- |
Update: |
/csr needed |
@dfuch this pull request will not be integrated until the CSR request JDK-8276959 for issue JDK-8275535 has been approved. |
Can you please review the CSR [1]? Thanks, |
@martinuy This pull request has been inactive for more than 4 weeks and will be automatically closed if another 4 weeks passes without any activity. To avoid this, simply add a new comment to the pull request. Feel free to ask for assistance if you need help with progressing this pull request towards integration! |
Please do not close, waiting for CSR approval. |
@martinuy, I am the reporter of JDK-8160768. Regarding this PR, isn't everything protocol related a fail-fast issue? E.g., if the socket is up and running, but the LDAP message is rejected can we assume that all subsequent servers for the same resolution will reject the request as well before authentication has happened? The purpose of JDK-8160768 was to discover LDAP servers and connect to the first one reachable. BTW, this code has been running for years now at work: https://github.com/michael-o/activedirectory-dns-locator |
@martinuy Also your Compatibility Risk talks about KDCs, but this is about directory servers. Not sure how this relates here. |
@martinuy This pull request has been inactive for more than 4 weeks and will be automatically closed if another 4 weeks passes without any activity. To avoid this, simply add a new comment to the pull request. Feel free to ask for assistance if you need help with progressing this pull request towards integration! |
@martinuy The CSR is approved, fwiw. |
Correct, it was an unconscious mistake :) I will try to get this fixed (as the CSR was approved, I'll ask before editing directly). |
It looks to me that it's not only a fail-fast issue because the state on the directory side might be altered by each try, as it happened in the reported case. In other words, the client might cause a denial-of-service blocking an account by trying multiple times the same incorrect authentication credentials on each resolved server. In regards to the 2nd question, I guess that we cannot assume that. But the revert is intended for failed authentication only. Is there a risk that you foresee by reverting the failed-authentication behavior back to pre-JDK-8160768? |
Let me add a few points for consideration from my usecases, since I don't use any password-based authentication with SASL and Active Directory only:
But the auth is part of the LDAP message as well since the auth does not happen out of band. I would expect that any non-transport issue should fail fast.
Not really, I virtually never had problems, thought might need annotations when this does not work, see above. |
Thanks @michael-o for your input. I see the observations that you raised. In my view, we should revert to the previous behavior (as there are users currently affected by the change), and perhaps we can discuss future improvements from there, based on actual cases. @AlekseiEfimov can you please review this change? We need the formal review-approval to move forward. |
@martinuy Agree |
Is the new behavior something that could be tested with a new non regression test? |
Hi Martin, The source changes looks good to me. In case you have an LDAP server that can be used to reproduce this problem then maybe you could try to create a test that uses classes from LDAP test library ( In a nutshell, it could be done by following these steps:
Snippet 1: How trace file can be collected:
Snippet 2: How trace file can be used (note that the trace file name should match the test class name in this example) it can be used to create an instance of the LDAPServer:
|
Unfortunately I don't have access to the environment where this problem reproduces and will be difficult/impossible for me to get a real trace from there. What I can say, though, is that the fail-fast authentication behavior previous to the changes in JDK-8160768 was working fine in such environment. Besides that, we didn't have any users reporting issues regarding authentication. The change to revert to the previous behavior is, in my view, trivial. I can try to build a whole new environment that reproduces this problem or see if it's feasible to mock something, but before getting into that I need to understand what the concerns or motivation for that are. This would require more time than originally planned and might postpone this for a while. Martin.- |
The concerns are two folds:
I agree that the changes seem safe and given the history seem to be doing what the fix/PR says they do, so I'd be more concerned with the latter. So if it's practical to add a test I'd rather have one. If the behavior is too hard to test - then the appropriate keyword would be |
Thanks, that was what I initially thought but wanted to check if I was missing something else given the previous discussion. I should be able to generate a build for the user and ask him to test in his real environment. As for the other concern, I'll evaluate options and let you know. |
Thanks for the update, Martin. |
Right - I would be fine with that too. |
@martinuy This pull request has been inactive for more than 4 weeks and will be automatically closed if another 4 weeks passes without any activity. To avoid this, simply add a new comment to the pull request. Feel free to ask for assistance if you need help with progressing this pull request towards integration! |
Please don't auto-close this bot :) |
@martinuy This pull request has been inactive for more than 4 weeks and will be automatically closed if another 4 weeks passes without any activity. To avoid this, simply add a new comment to the pull request. Feel free to ask for assistance if you need help with progressing this pull request towards integration! |
What's the status of this? The last comment reads as if this is good to go. |
I believe we're still waiting for Martin to reply to the last comment:
Otherwise yes - this would be good to go. |
Look here for spring based test case. |
@martinuy This pull request has been inactive for more than 4 weeks and will be automatically closed if another 4 weeks passes without any activity. To avoid this, simply add a new comment to the pull request. Feel free to ask for assistance if you need help with progressing this pull request towards integration! |
please don't auto-close this bot. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi @martinuy,
I think this fix is in a good state: code changes look good, the CSR is approved and our CI shows no JNDI test failures related to this change.
As it was mentioned before the only thing we're waiting for is a bug logged for a test addition with a scenario of how issue can be reproduced. If it is not feasible to do that we can proceed without it - I will log a bug and will use a Spring reproducer shared by Carsten (thank you) as a starting point.
Therefore, I'm approving this change.
@martinuy This change now passes all automated pre-integration checks. ℹ️ This project also has non-automated pre-integration requirements. Please see the file CONTRIBUTING.md for details. After integration, the commit message for the final commit will be:
You can use pull request commands such as /summary, /contributor and /issue to adjust it as needed. At the time when this comment was updated there had been 2489 new commits pushed to the
As there are no conflicts, your changes will automatically be rebased on top of these commits when integrating. If you prefer to avoid this automatic rebasing, please check the documentation for the /integrate command for further details. ➡️ To integrate this PR with the above commit message to the |
Hi @AlekseiEfimov , Apologies for the delay. We had no feedback from our customer. However, we released the fix in our builds and there were no regressions reported. I'll proceed with the integration of this fix. Thanks, |
/integrate |
Going to push as commit 3be394e.
Your commit was automatically rebased without conflicts. |
Will this fix be back-ported to JDK 8/11/17? |
I'd like to propose a fix for JDK-8275535. This fix reverts the behavior to the state previous to JDK-8160768, where an authentication failure stops from trying other LDAP servers with the same credentials [1]. After JDK-8160768 we have 2 possible loops to stop: the one that iterates over different URLs and the one that iterates over different endpoints (after a DNS query that returns multiple values).
No test regressions observed in jdk/com/sun/jndi/ldap.
--
[1] - https://hg.openjdk.java.net/jdk/jdk/rev/a609d549992a#l2.137
Progress
Issues
Reviewers
Reviewing
Using
git
Checkout this PR locally:
$ git fetch https://git.openjdk.java.net/jdk pull/6043/head:pull/6043
$ git checkout pull/6043
Update a local copy of the PR:
$ git checkout pull/6043
$ git pull https://git.openjdk.java.net/jdk pull/6043/head
Using Skara CLI tools
Checkout this PR locally:
$ git pr checkout 6043
View PR using the GUI difftool:
$ git pr show -t 6043
Using diff file
Download this PR as a diff file:
https://git.openjdk.java.net/jdk/pull/6043.diff