ldap usage

[Michael Ströder]

Jed Parsons wrote:
> 
> As an addendum, I discovered one little gotcha, namely that this:
> 
>     l.bind_s(username, password, ldap.AUTH_SIMPLE)
> 
> throws an ldap.INVALID_CREDENTIALS error if the password contains the
> wrong text, but works if the password is empty.  I guess this is
> tantamount to binding as ("", ""), but I wasn't expecting it; I figured
> if a username was specified, the password would have to agree.

Yes, this is by design. Empty cred means just switching to anon
bind. LDAP was not intended to be used for password checking at that time.

Which LDAP server are you using? You can switch off this behaviour with
OpenLDAP. See man 5 slapd.conf, allow <features>.

>  So my
> little authentication example also needs to test for empty passwords.

Yes!

Ciao, Michael.