continuum-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Maria Catherine Tan (JIRA)" <>
Subject [jira] Closed: (CONTINUUM-2543) LDAP integration and empty passwords
Date Sun, 17 Jul 2011 13:06:42 GMT


Maria Catherine Tan closed CONTINUUM-2543.

    Resolution: Fixed

REDBACK-248 is fixed in 1.3M1 which is what continuum trunk is using.

> LDAP integration and empty passwords
> ------------------------------------
>                 Key: CONTINUUM-2543
>                 URL:
>             Project: Continuum
>          Issue Type: Bug
>          Components: Security, Web - Security
>    Affects Versions: 1.3.4 (Beta), 1.3.6
>            Reporter: Frederic
>             Fix For: 1.4.1 (Beta)
> Due to a bug in Redback (, there is a security
problem with continuum if integrated with LDAP. When the user exists in the LDAP and you give
an empty password you get access to continuum.
> I've created a patch for the redback issue and applied this to our continuum instance,
and the problem was solved (see the redback issue for the patch. I've patched version 1.2.2
of redback-authentication-ldap as that's the version we are currently using (continuum 1.3.4).
But I've checked if continuum 1.3.6 has the same bug and that's the case (however continuum
1.3.6 uses redback-authentication-ldap version 1.2.3).
> I hope the redback developers will integrate the patch. If not, continuum should check
for empty password and fail before trying the LDAP authenticator.

This message is automatically generated by JIRA.
For more information on JIRA, see:


View raw message