From ac9d7969340b8cbffdd9c591dd583d5b7668a6eb Mon Sep 17 00:00:00 2001
From: Hans Zandbelt <hans.zandbelt@surfnet.nl>
Date: Tue, 2 Dec 2008 09:27:05 +0000
Subject: [PATCH] do not bind to LDAP with an empty password; avoid an issue
 with some LDAP implementations that consider an empty password a valid
 anonymous authentication attempt (thanks to: menno.pieters@igi.nl)

git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@1038 44740490-163a-0410-bde0-09ae8108e29a
---
 www/auth/login-ldapmulti.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/www/auth/login-ldapmulti.php b/www/auth/login-ldapmulti.php
index 147152d2f..f5a35845a 100644
--- a/www/auth/login-ldapmulti.php
+++ b/www/auth/login-ldapmulti.php
@@ -45,7 +45,7 @@ if (isset($_POST['username'])) {
 	
 		$ldap = new SimpleSAML_Auth_LDAP($ldapconfig['hostname'], $ldapconfig['enable_tls']);
 		
-		if (!$ldap->bind($dn, $pwd)) {
+		if (($pwd == "") or (!$ldap->bind($dn, $pwd))) {
 			SimpleSAML_Logger::info('AUTH - ldap-multi: '. $_POST['username'] . ' failed to authenticate. DN=' . $dn);
 			throw new Exception('Wrong username or password');
 		}
-- 
GitLab