diff --git a/java-17-openjdk.spec b/java-17-openjdk.spec
index e21a365..82f1c1e 100644
--- a/java-17-openjdk.spec
+++ b/java-17-openjdk.spec
@@ -334,7 +334,7 @@
 %global top_level_dir_name   %{origin}
 %global top_level_dir_name_backup %{top_level_dir_name}-backup
 %global buildver        8
-%global rpmrelease      6
+%global rpmrelease      7
 # Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit
 %if %is_system_jdk
 # Using 10 digits may overflow the int used for priority, so we combine the patch and build versions
@@ -1249,6 +1249,8 @@ Patch1016: rh2021263-fips_separate_policy_and_fips_init.patch
 # OpenJDK patches in need of upstreaming
 #
 #############################################
+# JDK-8275535, RH2053256: Retrying a failed authentication on multiple LDAP servers can lead to users blocked
+Patch2000: jdk8275535-rh2053256-ldap_auth.patch
 
 #############################################
 #
@@ -1677,6 +1679,8 @@ popd # openjdk
 %patch1015
 %patch1016
 
+%patch2000
+
 # Extract systemtap tapsets
 %if %{with_systemtap}
 tar --strip-components=1 -x -I xz -f %{SOURCE8}
@@ -2448,6 +2452,10 @@ cjc.mainProgram(args)
 %endif
 
 %changelog
+* Wed Feb 23 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.2.0.8-7
+- Add JDK-8275535 patch to fix LDAP authentication issue.
+- Related: RHEL-45216
+
 * Mon Feb 21 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.2.0.8-6
 - Separate crypto policy initialisation from FIPS initialisation, now they are no longer interdependent
 - Related: RHEL-45216
diff --git a/jdk8275535-rh2053256-ldap_auth.patch b/jdk8275535-rh2053256-ldap_auth.patch
new file mode 100644
index 0000000..51bd6d2
--- /dev/null
+++ b/jdk8275535-rh2053256-ldap_auth.patch
@@ -0,0 +1,26 @@
+diff --git openjdk.orig/src/java.naming/share/classes/com/sun/jndi/ldap/LdapCtxFactory.java openjdk/src/java.naming/share/classes/com/sun/jndi/ldap/LdapCtxFactory.java
+index 70903206ea0..09956084cf9 100644
+--- openjdk.orig/src/java.naming/share/classes/com/sun/jndi/ldap/LdapCtxFactory.java
++++ openjdk/src/java.naming/share/classes/com/sun/jndi/ldap/LdapCtxFactory.java
+@@ -189,6 +189,10 @@ public final class LdapCtxFactory implements ObjectFactory, InitialContextFactor
+                     ctx = getLdapCtxFromUrl(
+                             r.getDomainName(), url, new LdapURL(u), env);
+                     return ctx;
++                } catch (AuthenticationException e) {
++                    // do not retry on a different endpoint to avoid blocking
++                    // the user if authentication credentials are wrong.
++                    throw e;
+                 } catch (NamingException e) {
+                     // try the next element
+                     lastException = e;
+@@ -241,6 +245,10 @@ public final class LdapCtxFactory implements ObjectFactory, InitialContextFactor
+         for (String u : urls) {
+             try {
+                 return getUsingURL(u, env);
++            } catch (AuthenticationException e) {
++                // do not retry on a different URL to avoid blocking
++                // the user if authentication credentials are wrong.
++                throw e;
+             } catch (NamingException e) {
+                 ex = e;
+             }