ldap authentication with blank password

When using LDAP authentication, providing a blank password is treated as a successful login. The cause is that the back-end LDAP server treats a bind with an empty/blank password as an anonymous bind, and I suspect the LDAP code in artifactory simply looks for a successful bind. This probably only happens with certain LDAP server implementations, but SunONE LDAP (which we use at my site) does this.

Supporting quote from http://www.ucalgary.ca/it/directories/identity/ldap

WARNING: An attempt to bind with a blank password always succeeds because the LDAP protocol considers this to be an "anonymous" bind, even though a username is specified. Always check for a blank password before binding.

This occurs both at the login screen and on the "Test LDAP Connection" page:

• Test Username correct, Test password correct: "Successful connection"
• Test Username correct, Test password wrong: "Authentication failed"
• Test Username correct, password empty: "Successful connection" (bad!)
• Test Username correct, password spaces only: "Successful connection" (bad!)
• Test Username does not exist, Test password exists: "Authentication failed"
• Test Username does not exist, Test password spaces only: "No such object" (bad, kind of)

Obviously this is a bad situation because you can log in as anyone by providing a blank password on the login screen.

I think this will only happen when using the "User DN Pattern", because using a "Manager DN" will first bind as the manager and then check the password. However I can't verify this at the moment because I don't have access to such a DN at my site.

Suggested fix is to not make LDAP bind attempts with empty passwords, or passwords containing only spaces, and treat them as failed authentication attempts. Not sure if there is a legitimate requirement for logins with blank passwords, but if so maybe make it an option which is off by default.