LDAP integration and empty passwords
------------------------------------
Key: CONTINUUM-2543
URL: http://jira.codehaus.org/browse/CONTINUUM-2543
Project: Continuum
Issue Type: Bug
Components: Security, Web - Security
Affects Versions: 1.3.6, 1.3.4 (Beta)
Reporter: Frederic
Due to a bug in Redback (http://jira.codehaus.org/browse/REDBACK-248), there is
a security problem with continuum if integrated with LDAP. When the user exists
in the LDAP and you give an empty password you get access to continuum.
I've created a patch for the redback issue and applied this to our continuum
instance, and the problem was solved (see the redback issue for the patch. I've
patched version 1.2.2 of redback-authentication-ldap as that's the version we
are currently using (continuum 1.3.4). But I've checked if continuum 1.3.6 has
the same bug and that's the case (however continuum 1.3.6 uses
redback-authentication-ldap version 1.2.3).
I hope the redback developers will integrate the patch. If not, continuum
should check for empty password and fail before trying the LDAP authenticator.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
