Summary: Authentication failure results in PHP error message in addition to auth fail message.
Created: 2006-05-18 14:34
Status: Closed - fixed for 2.1.7
Category: Bug
Priority: 4
Version: 2.1.5
OS: Fedora Core 4/Apache 2.2.2/PHP 5.1.4

Description: An authentication failure where the username is correct, but the password is incorrect, where LDAP authentication is in use, results in an error message, with the following text, at the top of the page:

Warning: ldap_bind() [function.ldap-bind]: Unable to bind to server: Invalid credentials in <path>/scripts/authuser.php on line 126

Warning: Cannot modify header information - headers already sent by (output started at <path>/scripts/authuser.php:126) in <path>/pmwiki.php on line 858

This is a serious bug in part because of the information exposure that the username is valid.

Note that anonymous binds are permitted for this LDAP server, and that no DN/password has been specified for use by PmWiki in the configuration file.