FULL PRODUCT VERSION :
java version "1.8.0_40"
Java SE build 1.8.0_40_b26
Java HotSpot 64-Bit Server VM build 25.40-b25, mixed mode
ADDITIONAL OS VERSION INFORMATION :
Windows 8.1
A DESCRIPTION OF THE PROBLEM :
When using the automatic discovery of LDAP servers using urls of type :
ldaps:///dc=mydomain,dc=com
and additionnaly using the kerberos authentication mechanism (Context.SECURITY_AUTHENTICATION is "GSSAPI")
the connection fails because the requested kerberos service ticket is made with an invalid principal name containing a dot "." at the end of the hostname part, for example :
ldap/[email protected]
The problem comes from the use of DNS SRV records which returned FQDNs hostnames end with a dot ".", for example :
my-server.mydomain.com.
While this dot doesn't matter for simple connection (names ending with dots are resolved to IP adresses by DNS), it matters for a kerberos principal name.
Fix hint : the class com.sun.jndi.ldap.ServiceLocator shall be fixed to remove the trailing dot of hostnames obtained from DNS SRV records.
REPRODUCIBILITY :
This bug can be reproduced always.