LDAP Authentication in PHP - Authenticated without giving a password

Question

I'm getting a strange behavior on my LDAP Authentication, I need this to authenticate users with their AD credentials, this is what I have:

session_start(); 
$adServer = "MY IP"; 
$ldapconn = ldap_connect($adServer) or $this->msg = "Could not connect to LDAP server.";

$ldaprdn = "DOMAIN\\" . $_POST["username"];
$ldapbind = ldap_bind($ldapconn, $ldaprdn, $_POST["password"]);

if ($ldapbind) {
//$msg = "Successfully Authenticated";
    $_SESSION['loggedin'] = 1;
    $_SESSION['username'] = $username;
    header("Location: ../main.php");
} else {
    header("Location: ../index.php?login_failed=1");
}

This is the different behaviors I get:

• No username / No Password = authenticated (BAD)
• Username / No Password = authenticated (BAD)
• Incorrect Username/Password (both fields were given) = not authenticated
• Correct Username/Password (both fields were given) = authenticated

I find this hard to muster, all users are being validated if the password field is not being used. But if I do use the password field it only authenticates users with the correct credentials..

Am I doing something wrong here or should I start nagging the IT people?

Answer 1

After doing some research, I reached a conclusion that the LDAP server we are using allows anonymous binds.

More info here: https://issues.jfrog.org/jira/browse/RTFACT-3378

WARNING: An attempt to bind with a blank password always succeeds because the LDAP protocol considers this to be an "anonymous" bind, even though a username is specified. Always check for a blank password before binding.

In order to go around this, I now check the password input field in PHP:

if (strlen(trim($user_pass)) == 0) {
    //login failed
} else {
    $ldaprdn = "DOMAIN\\" . $_POST["username"];
    $ldapbind = ldap_bind($ldapconn, $ldaprdn, $_POST["password"]);
}

An empty password input (or whitespaces) will always return a login fail.