On 1/15/21 10:04 PM, Eric Covener wrote:
>> Hence I would propose the following two patches:
>>
>> 1. Do not allow to set an empty bind password via AuthLDAPBindPassword
>> (no_empty_bind_password.diff).
>> 2. In authn_ldap_check_password move the checks for NULL user / password up
>> (IMHO we cannot do anything sensible in case they
>> are NULL) in addition check if the password is empty and return an
>> AUTH_DENIED if this is the case. This would be similar to
>> the behavior in case AuthLDAPBindDN / AuthLDAPBindPassword is used
>> (no_empty_password_check.diff).
>>
>> Opinions?
>
> +1
>
r1885939, r1885940, r1885941
Regards
RĂ¼diger
