> Hence I would propose the following two patches:
> 1. Do not allow to set an empty bind password via AuthLDAPBindPassword 
> (no_empty_bind_password.diff).
> 2. In authn_ldap_check_password move the checks for NULL user / password up 
> (IMHO we cannot do anything sensible in case they
>    are NULL) in addition check if the password is empty and return an 
> AUTH_DENIED if this is the case. This would be similar to
>    the behavior in case AuthLDAPBindDN / AuthLDAPBindPassword is used 
> (no_empty_password_check.diff).
> Opinions?


Reply via email to