continuum-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Inaki (JIRA)" <>
Subject [jira] Commented: (CONTINUUM-2543) LDAP integration and empty passwords
Date Mon, 30 May 2011 11:49:22 GMT


Inaki commented on CONTINUUM-2543:

Tested version 1.3.7 with redback 1.2.6 and this is still happening!!!

> LDAP integration and empty passwords
> ------------------------------------
>                 Key: CONTINUUM-2543
>                 URL:
>             Project: Continuum
>          Issue Type: Bug
>          Components: Security, Web - Security
>    Affects Versions: 1.3.4 (Beta), 1.3.6
>            Reporter: Frederic
>             Fix For: 1.4.1 (Beta)
> Due to a bug in Redback (, there is a security
problem with continuum if integrated with LDAP. When the user exists in the LDAP and you give
an empty password you get access to continuum.
> I've created a patch for the redback issue and applied this to our continuum instance,
and the problem was solved (see the redback issue for the patch. I've patched version 1.2.2
of redback-authentication-ldap as that's the version we are currently using (continuum 1.3.4).
But I've checked if continuum 1.3.6 has the same bug and that's the case (however continuum
1.3.6 uses redback-authentication-ldap version 1.2.3).
> I hope the redback developers will integrate the patch. If not, continuum should check
for empty password and fail before trying the LDAP authenticator.

This message is automatically generated by JIRA.
If you think it was sent incorrectly contact one of the administrators:
For more information on JIRA, see:


View raw message