[
https://jira.codehaus.org/browse/CONTINUUM-2543?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Maria Catherine Tan closed CONTINUUM-2543.
------------------------------------------
Resolution: Fixed
REDBACK-248 is fixed in 1.3M1 which is what continuum trunk is using.
> LDAP integration and empty passwords
> ------------------------------------
>
> Key: CONTINUUM-2543
> URL: https://jira.codehaus.org/browse/CONTINUUM-2543
> Project: Continuum
> Issue Type: Bug
> Components: Security, Web - Security
> Affects Versions: 1.3.4 (Beta), 1.3.6
> Reporter: Frederic
> Fix For: 1.4.1 (Beta)
>
>
> Due to a bug in Redback (http://jira.codehaus.org/browse/REDBACK-248), there
> is a security problem with continuum if integrated with LDAP. When the user
> exists in the LDAP and you give an empty password you get access to continuum.
> I've created a patch for the redback issue and applied this to our continuum
> instance, and the problem was solved (see the redback issue for the patch.
> I've patched version 1.2.2 of redback-authentication-ldap as that's the
> version we are currently using (continuum 1.3.4). But I've checked if
> continuum 1.3.6 has the same bug and that's the case (however continuum 1.3.6
> uses redback-authentication-ldap version 1.2.3).
> I hope the redback developers will integrate the patch. If not, continuum
> should check for empty password and fail before trying the LDAP authenticator.
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
