Full_Name: Johannes Geiger Version: n/a OS: Windows, Linux URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (62.245.172.60)
While the documentation of JLDAP states that only authenticated and anonymous bind are supported, JLDAP silently converts an unauthenticated bind to an anonymous one.
From LDAPconnection.java
boolean anonymous = false; if( passwd.length == 0) { anonymous = true; // anonymous, passwd length zero with simple bind dn = ""; // set to null if anonymous }
(I even think there is a bug in this, as the flag "anonymous" stays on false, if there is a password given but no dn.)
This is in fact a security issue, as - while unauthenticated bind usually is forbidden by the server, anonymous bind is allowed - the client using bind for authentication reasons might be led to believe in successful authentication whereas the server only accepted an anonymous bind and did not do any credential verification.