> Hence I would propose the following two patches: > > 1. Do not allow to set an empty bind password via AuthLDAPBindPassword > (no_empty_bind_password.diff). > 2. In authn_ldap_check_password move the checks for NULL user / password up > (IMHO we cannot do anything sensible in case they > are NULL) in addition check if the password is empty and return an > AUTH_DENIED if this is the case. This would be similar to > the behavior in case AuthLDAPBindDN / AuthLDAPBindPassword is used > (no_empty_password_check.diff). > > Opinions?
+1