Summary: Authentication failure results in PHP error message in addition to auth fail message.
Created: 2006-05-18 14:34
Status: Closed - fixed for 2.1.7
OS: Fedora Core 4/Apache 2.2.2/PHP 5.1.4
Description: An authentication failure where the username is correct, but the password is incorrect, where LDAP authentication is in use, results in an error message, with the following text, at the top of the page:
Warning: ldap_bind() [function.ldap-bind]: Unable to bind to server: Invalid credentials in <path>/scripts/authuser.php on line 126
Warning: Cannot modify header information - headers already sent by (output started at <path>/scripts/authuser.php:126) in <path>/pmwiki.php on line 858
This is a serious bug in part because of the information exposure that the username is valid.
Note that anonymous binds are permitted for this LDAP server, and that no DN/password has been specified for use by PmWiki in the configuration file.