Le 26/05/20 à 14:31, Emmanuel Lécharny téléscripta :
Sorry, I read your mail a bit quickly.The unauthenticated bind is a security risk, and the RFC explicitly say that "Clients SHOULD disallow an empty password input to a Name/Password Authentication user interface".IMO, the trick you are using to get it working is more likely a bug than a 'feature'. Actually, in the LDAP API, we forbid the use of a name with no password :(...)although, reading the code, I can tell you that it's not true everywhere, so it's definitively a bug.
Bottom line: you should never be allowed to send an unauthenticated bind to a server...
OK, thanks for your checks and answers! Cheers, Baptiste -- Baptiste Grenier | Senior Service Delivery Officer | [email protected] EGI Foundation (Amsterdam, The Netherlands) Phone: +31 (0) 627 860 852 | Keybase: gwarf | Skype: baptiste.grenier.egi EGI: Advanced Computing for Research The EGI Foundation is ISO 9001:2015 and ISO/IEC 20000-1:2011 certified
smime.p7s
Description: S/MIME cryptographic signature
