JDK-6394020 : overeager failover behavior with JNDI LDAP provider as a result of authentication failures
  • Type: Bug
  • Component: core-libs
  • Sub-Component: javax.naming
  • Affected Version: 6
  • Priority: P3
  • Status: Resolved
  • Resolution: Fixed
  • OS: solaris
  • CPU: sparc
  • Submitted: 2006-03-04
  • Updated: 2011-04-20
  • Resolved: 2006-04-01
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
6 b79Fixed
I noticed an odd behavior in the LDAP provider if multiple directory URLs are given as the value of the PROVIDER_URL (as seen in http://java.sun.com/products/jndi/tutorial/ldap/misc/url.html#MULTI).

Using such a connection if an application attempts to bind with an incorrect password (which naturally results in a bind failure response from LDAP server), the LDAP provider will attempt to reconnect to all of the URLs listed in the PROVIDER_URL.

This seems like a bug. If the first contacted LDAP server returns a result indicating that the password is incorrect, that should be treated as an authoritative answer. There is no reason to query every other listed server, since (assuming they are mirrors of each other as should be expected) they will all return the same answer.

EVALUATION There is no automatic way of verifying this fix. However, a unit test is available in the JNDI/LDAP testsuite that can be used to verify this fix. Please run the following test and manually insepct the results to verify the fix: /java/jndi/ws/jndi_mustang_master/testjndi/ldap/unit/MultiURLTest.java

SUGGESTED FIX --- LdapCtxFactory.java Mon Mar 13 12:35:45 2006 *** 189,198 **** --- 189,200 ---- NamingException ne = null; DirContext ctx = null; for (int i = 0; i < urls.length; i++) { try { return getUsingURL(urls[i], env); + } catch (AuthenticationException e) { + throw e; } catch (NamingException e) { ne = e; } } throw ne;

EVALUATION The requested change in behavior make sense. The same set of credentials are used for trying to establish connection with each of the listed servers and there isn't a gain in trying to use the known invalid credentials.