Continuum
  1. Continuum
  2. CONTINUUM-2543

LDAP integration and empty passwords

    Details

    • Type: Bug Bug
    • Status: Closed Closed
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 1.3.4 (Beta), 1.3.6
    • Fix Version/s: 1.4.1
    • Component/s: Security, Web - Security
    • Labels:
      None
    • Complexity:
      Intermediate
    • Number of attachments :
      0

      Description

      Due to a bug in Redback (http://jira.codehaus.org/browse/REDBACK-248), there is a security problem with continuum if integrated with LDAP. When the user exists in the LDAP and you give an empty password you get access to continuum.
      I've created a patch for the redback issue and applied this to our continuum instance, and the problem was solved (see the redback issue for the patch. I've patched version 1.2.2 of redback-authentication-ldap as that's the version we are currently using (continuum 1.3.4). But I've checked if continuum 1.3.6 has the same bug and that's the case (however continuum 1.3.6 uses redback-authentication-ldap version 1.2.3).

      I hope the redback developers will integrate the patch. If not, continuum should check for empty password and fail before trying the LDAP authenticator.

        Issue Links

          Activity

          Hide
          Inaki added a comment -

          Tested version 1.3.7 with redback 1.2.6 and this is still happening!!!

          Show
          Inaki added a comment - Tested version 1.3.7 with redback 1.2.6 and this is still happening!!!
          Hide
          Maria Catherine Tan added a comment -

          REDBACK-248 is fixed in 1.3M1 which is what continuum trunk is using.

          Show
          Maria Catherine Tan added a comment - REDBACK-248 is fixed in 1.3M1 which is what continuum trunk is using.

            People

            • Assignee:
              Unassigned
              Reporter:
              Frederic
            • Votes:
              1 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: