Security Hole? Allows anonymous bind if no password submitted by frontend

[lhardie]

I have discovered that if the frontend of the application does not send a password parameter at all, the code that checks for an empty password does not catch it, and the user is allowed to authenticate anonymously in the ldap bind.

Is this intended behavior?

If it is not, the problem code is in Security/Authentication/LdapAuthenticationProvider.php:
if ('' === $presentedPassword) {

The above line will not catch when there was no password parameter in the posted data from the frontend.

Therefore, the username provided will be send with an empty password in the ldap bind, and an anonymous authentication will occur.

This relates to this issue: #162 (comment)

I have opened a new issue as I was uncertain at the time that anything was wrong and was worried the issue would not get attention without a more appropriate title.