Maciej Skolecki (Migrated from SEC-1117) said:
Currently LdapAuthenticatonProvider checks for empty password in its authenticate() method (lines 225 onward). This does not allow to use NtlmAwareLdapAuthenticator as a delegate for authentication because null password will be always rejected – as is the case when using NTLM authentication – and NtlmAwareLdapAuthenticator never gets called.
Forum thread mentioned above confirms the same problem encountered by another user (see item 2 in the top post)
Also a similiar problem exists with id: SEC-1014.
Luke Taylor said:
I’ve moved the check for the empty password into BindAuthenticator.authenticate(). The check is required because some directories treat an empty password as an anonymous bind and the risk is that a user could authenticate as any valid username to such a directory just by entering an empty password. However it should only be pertinent to bind authentication.
This change should allow the overridden authenticate method in NtlmAwareLdapAuthenticator to succeed, even with an empty password.