LDAP integration and empty passwords

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: 1.3.4 (Beta), 1.3.6
Fix Version/s: 1.4.1
Component/s: Security, Web - Security
Labels:
None

Complexity:
Intermediate
Number of attachments :
0

Description

Due to a bug in Redback (http://jira.codehaus.org/browse/REDBACK-248), there is a security problem with continuum if integrated with LDAP. When the user exists in the LDAP and you give an empty password you get access to continuum.
I've created a patch for the redback issue and applied this to our continuum instance, and the problem was solved (see the redback issue for the patch. I've patched version 1.2.2 of redback-authentication-ldap as that's the version we are currently using (continuum 1.3.4). But I've checked if continuum 1.3.6 has the same bug and that's the case (however continuum 1.3.6 uses redback-authentication-ldap version 1.2.3).

I hope the redback developers will integrate the patch. If not, continuum should check for empty password and fail before trying the LDAP authenticator.

Issue Links

depends upon

REDBACK-248 Empty password succeeds for LDAP servers accepting anonymous binds

Activity

Ascending order - Click to sort in descending order

Hide

Permalink

Inaki added a comment - 30/May/11 6:48 AM

Tested version 1.3.7 with redback 1.2.6 and this is still happening!!!

Show

Inaki added a comment - 30/May/11 6:48 AM Tested version 1.3.7 with redback 1.2.6 and this is still happening!!!

Hide

Permalink

Maria Catherine Tan added a comment - 17/Jul/11 8:05 AM

~~REDBACK-248~~ is fixed in 1.3M1 which is what continuum trunk is using.

Show

Maria Catherine Tan added a comment - 17/Jul/11 8:05 AM REDBACK-248 is fixed in 1.3M1 which is what continuum trunk is using.

People

Assignee:

Unassigned

Reporter:

Frederic

Vote (1)

Watch (1)

Dates

Created:

02/Jul/10 7:35 AM

Updated:

17/Jul/11 8:05 AM

Resolved:

17/Jul/11 8:05 AM