According to the LDAP specification, you will achieve an anonymous bind
by binding with EITHER an empty DN or an empty password.
As an example, a bind with DN cn=admin,o=world and an empty password
should be treated as an anonymous bind.

This is fine for the LDAP server itself, but it is problematic if you
have LDAP clients that tries to authenticate users and allows an empty
password. The LDAP client will in this case receive a successful bind
from the LDAP server.
Yes, it is an anonymous bind, but the LDAP client would interpret this
as the user was authenticated OK and give the user whatever access she
is entitled to within the LDAP client (which could be a web application
or whatever).

Because of this, most (but not all) LDAP clients prevent empty password
when authenticating users.
I personally know of several LDAP clients that allow empty passwords,
and we have a couple of them in use in my organization.

I thus want to disable Unauthenticated Authentication (DN set, but
password empty, resulting in anonymous bind), while keeping regular
Anonymous Authentication (empty DN).

The method described in the below support article disables both
Unauthenticated Authentication (the one I want to disable) and
Anonyomous Authentication (which I want to keep).

According to RFC-4513 (LDAP Authentication Methods...) "Servers SHOULD
by default fail Unauthenticated Bind requests with a resultCode of

I find no way of configuring this behavior in eDirectory.

Does anyone have any good advice?

oyvindhal's Profile:
View this thread: