Summary: AuthUser ldap authentication allows empty passwords
Created: 2005-09-29 15:25
Status: Closed - fixed for 2.0.11
From: Paul Eden
OS: Red Hat Enterprise Linux ES release 3 (Taroon Update 5)/Apache 2.0.46/php-4.3.2
Description: I have noticed that in authenticating to an ldap server with with AuthUser, valid usernames will be accepted without specifying a password. The problem happens when an ldap server allows anonymous binds. The problem is documented with workarounds here.