Assume an application that can be configured to use an LDAP server - be it ActiveDirectory, or OpenLDAP etc. - for authenticating its users and retrieving some additional information about them for authorization purposes. The way the application binds to the LDAP server is also configurable - it can use a simple or a SASL bind, depending on what the LDAP server supports and the overall security requirements.
It's assumed that if a bind succeeds with whatever credentials the user provided, then it must mean that those credentials are valid. However, that's not always the case; it can happen that a simple bind succeeds even though an empty password was provided where a non-empty one was in fact expected. According to the RFC about LDAP authentication methods a simple bind with a non-empty username and an empty password is interpreted as an intention to establish an unauthenticated connection, with anonymous authorization. The server can be configured to fail such attempts with unwillingToPerform, but it can also allow them.
The question is: in such a scenario, where an application can be configured to use a variety of LDAP servers, and bind in a configurable way - simple or over SASL - is there a way to unequivocally check the credentials the user entered against that particular LDAP server, other than trying to bind with those credentials, given that a simple bind can lead to false positives?
Thank you and I look forward to your replies.
