JDK-8149521 : automatic discovery of LDAP servers with Kerberos authentication
  • Type: Bug
  • Component: core-libs
  • Sub-Component: javax.naming
  • Affected Version: 8u40,9
  • Priority: P3
  • Status: Closed
  • Resolution: Fixed
  • OS: windows_8
  • CPU: generic
  • Submitted: 2015-09-30
  • Updated: 2017-11-29
  • Resolved: 2016-05-20
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 8 JDK 9
8u152Fixed 9 b120Fixed
Related Reports
Duplicate :  
Relates :  
Description
FULL PRODUCT VERSION :
java version "1.8.0_40"
Java SE build 1.8.0_40_b26
Java HotSpot 64-Bit Server VM build 25.40-b25, mixed mode

ADDITIONAL OS VERSION INFORMATION :
Windows 8.1

A DESCRIPTION OF THE PROBLEM :
When using the automatic discovery of LDAP servers using urls of type :
ldaps:///dc=mydomain,dc=com
and additionnaly using the kerberos authentication mechanism (Context.SECURITY_AUTHENTICATION is "GSSAPI")
the connection fails because the requested kerberos service ticket is made with an invalid principal name containing a dot "." at the end of the hostname part, for example :
ldap/[email protected]

The problem comes from the use of DNS SRV records which returned FQDNs hostnames end with a dot ".", for example :
my-server.mydomain.com.
While this dot doesn't matter for simple connection (names ending with dots are resolved to IP adresses by DNS), it matters for a kerberos principal name.

Fix hint : the class com.sun.jndi.ldap.ServiceLocator shall be fixed to remove the trailing dot of hostnames obtained from DNS SRV records.



REPRODUCIBILITY :
This bug can be reproduced always.


Comments
Since this is just a bug reported to kerberos, I'd suggest we only fix it on the kerberos side. Maybe ServiceLocator wants to keep it. We can remove the dot while constructing the KerberosPrincipal.
10-05-2016

It is confirmed that the bugs exist in 7u79 and 8u91 [1] and 9 [2] [1] http://mail.openjdk.java.net/pipermail/core-libs-dev/2016-May/040861.html [2] http://mail.openjdk.java.net/pipermail/core-libs-dev/2016-May/040889.html
06-05-2016

Pallavi, try to reproduce it with 8, 8u72 ea and 9 ea builds.
24-12-2015