continuum-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Frederic (JIRA)" <>
Subject [jira] Created: (CONTINUUM-2543) LDAP integration and empty passwords
Date Fri, 02 Jul 2010 12:35:32 GMT
LDAP integration and empty passwords

                 Key: CONTINUUM-2543
             Project: Continuum
          Issue Type: Bug
          Components: Security, Web - Security
    Affects Versions: 1.3.6, 1.3.4 (Beta)
            Reporter: Frederic

Due to a bug in Redback (, there is a security
problem with continuum if integrated with LDAP. When the user exists in the LDAP and you give
an empty password you get access to continuum.
I've created a patch for the redback issue and applied this to our continuum instance, and
the problem was solved (see the redback issue for the patch. I've patched version 1.2.2 of
redback-authentication-ldap as that's the version we are currently using (continuum 1.3.4).
But I've checked if continuum 1.3.6 has the same bug and that's the case (however continuum
1.3.6 uses redback-authentication-ldap version 1.2.3).

I hope the redback developers will integrate the patch. If not, continuum should check for
empty password and fail before trying the LDAP authenticator.

This message is automatically generated by JIRA.
If you think it was sent incorrectly contact one of the administrators:
For more information on JIRA, see:


View raw message