Mark Boyce Mark.Boyce at
Mon May 16 19:21:14 EDT 2016

When pooling AD Domain Controllers and adding "connectionHandler="edu.vt.middleware.ldap.handler.DefaultConnectionHandler{{connectionStrategy=ACTIVE_PASSIVE}}"" (as prescribed at I am seeing the following:

1)            User enters bad password
2)            Shibboleth (yes, it is the underlying edu.vt.middleware.ldap.jaas.LdapLoginModule) attempts to authenticate the user at each DC in the pool; having failed to bind as the user, it would appear that edu.vt.middleware.ldap.jaas.LdapLoginModule is interpreting this as a failure of the server and promptly moving on to the next server in the pool
3)            The user account lockout threshold is reached and the user is locked out

My question is:

1)            Is it possible to have edu.vt.middleware.ldap.jaas.LdapLoginModule understand a bad password as opposed to a server failure and act upon same
2)            Will a connection strategy of "default" result in an authentication service failure should one of the AD DC in the pool become unavailable?



Mark L. Boyce
Senior Identity Management Analyst
University of California, Office of the President
415 20th Street
Oakland, CA 94612
Office: 510.987.9681
Cell: 209.851.0196

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list