[Bug 61977] JNDIRealm with SPNEGO, GSSAPI and SRV record fails to find LDAP SPN due to training sname period

Wed, 10 Jan 2018 07:21:05 -0800 

https://bz.apache.org/bugzilla/show_bug.cgi?id=61977

Mark Thomas <ma...@apache.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Severity|blocker                     |enhancement

--- Comment #3 from Mark Thomas <ma...@apache.org> ---
I can confirm that this is fixed in Java 10 (ea38).

Using the configuration from:
https://tomcat.apache.org/tomcat-9.0-doc/windows-auth-howto.html

This works with Java 8 or Java 10:
<Realm  className="org.apache.catalina.realm.JNDIRealm"
        connectionURL="ldap://win-dc01.dev.local:3268";
        connectionName="CN=Administrator,CN=Users,DC=dev,DC=local"
        connectionPassword="password"
        userSearch="(sAMAccountName={0})"
        userBase="CN=Users,DC=dev,DC=local"
        userSubtree="true"
        roleSearch="(member={0})"
        roleBase="DC=dev,DC=local"
        roleName="cn"
        roleSubtree="true"
        roleNested="true"
        />

This fails with Java 8 but works with Java 10:
<Realm  className="org.apache.catalina.realm.JNDIRealm"
        connectionURL="ldap:///DC=dev,DC=local";
        connectionName="CN=Administrator,CN=Users,DC=dev,DC=local"
        connectionPassword="password"
        userSearch="(sAMAccountName={0})"
        userBase="CN=Users"
        userSubtree="true"
        roleSearch="(member={0})"
        roleName="cn"
        roleSubtree="true"
        roleNested="true"
               adCompat="true"
        />

This is, clearly, a JRE bug. The fix for 8149521 looks more like addressing the
symptom than the root cause. Such an approach isn't unusual for the JRE that
tends to take a very conservative view on changes that might break existing
apps.

Generally, the Tomcat community doesn't implement workarounds for bugs in third
party code. The preferred solution is to fix the problem at source. This keeps
the Tomcat code clean(er) and everyone gets the fix.

There are exceptions where we have provided workarounds. A number of factors
influence this. One is how big a patch is required to work-around it. I'll take
a look at what a patch might look like.

Finally, moving this to an enhancement as there is no Tomcat bug here.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Reply via email to