Thanks for all your replies.
Conclusions So Far ======================= So can I now conclude that the three following statements are correct? 1) ldapsearch does not properly implement LDAP 2) Active Directory does not properly implement LDAP 3) I cannot use Net::LDAP to authenticate users with empty passwords How To Test 1) And 2) ========================== This can be tested using ldapsearch and Active Directory together: ldapsearch -h 'localhost' -x -w '' -D 'cn=Joe,ou=London,o=axomic' -s base -b 'cn=Joe,ou=London,o=axomic' Active Directory by default denies anonymous or noauth logins, but the above command works, so: 1) ldapsearch is using simple authentication with DN and empty password 2) Active Directory is accepting simple authentication with DN and empty password A Few Real-World Implications ================================== It is unfortunate, but it looks like the following problem cannot be solved without messing with the internals of Net::LDAP (even if Net::LDAP is correctly following the LDAP spec!). If you have an Active Directory server and some users have blank passwords you cannot use Net::LDAP to authenticate them. This is unfortunate as I suspect there are quite a few AD installs out there, and password policies do vary :-) A Rather Too Hopeful Request? ================================== Is it possible for a work around to be included in Net::LDAP? or is this too ugly a proposition? I will carry on using the work around I mentioned earlier but I don't like having to do this kind of hack. http://www.nntp.perl.org/group/perl.ldap/1888 Document With LDAP Implementation Recomendations ===================================================== http://www.ietf.org/internet-drafts/draft-ietf-ldapbis-authmeth-18.txt I am surprised by the fuzziness of the following statements, to an outsider it looks like there is huge potential for a huge-world-of-interoperability-pain. "Clients SHOULD disallow an empty password input to a Name/Password Authentication user interface. Additionally, Servers SHOULD by default fail Unauthenticated Bind requests with a resultCode of unwillingToPerform." "Clients that use the results from a simple Bind operation to make authorization decisions should actively detect unauthenticated Bind requests (by verifying that the supplied password is not empty) and react appropriately." "by verifying that the supplied password is not empty" "react appropriately" ???!!! Some other threads discussing this issue: http://www.openldap.org/lists/openldap-software/200510/threads.html#00023 http://www.openldap.org/lists/openldap-software/200011/threads.html#00151 http://www.openldap.org/lists/openldap-software/200112/threads.html#00173 ========= OpenAsset - Image Management for Architects, Designers & Engineers Axomic Ltd http://www.axomic.com
