Check credentials against an LDAP server

Assume an application that can be configured to use an LDAP server - be it ActiveDirectory, or OpenLDAP etc. - for authenticating its users and retrieving some additional information about them for authorization purposes. The way the application binds to the LDAP server is also configurable - it can use a simple or a SASL bind, dependin开发者_如何学Pythong on what the LDAP server supports and the overall security requirements.

It's assumed that if a bind succeeds with whatever credentials the user provided, then it must mean that those credentials are valid. However, that's not always the case; it can happen that a simple bind succeeds even though an empty password was provided where a non-empty one was in fact expected. According to the RFC about LDAP authentication methods a simple bind with a non-empty username and an empty password is interpreted as an intention to establish an unauthenticated connection, with anonymous authorization. The server can be configured to fail such attempts with unwillingToPerform, but it can also allow them.

The question is: in such a scenario, where an application can be configured to use a variety of LDAP servers, and bind in a configurable way - simple or over SASL - is there a way to unequivocally check the credentials the user entered against that particular LDAP server, other than trying to bind with those credentials, given that a simple bind can lead to false positives?

Thank you and I look forward to your replies.

Surely all you have to do is disallow, or maybe even just remember, cases where the password was empty?

In PHP, at least, you just have to do this:

<?php
$ds = ldap_connect($ip_address);
if(@ldap_bind($ds, $username, $password) {
  // Login successful!
} else {
  // Login unsuccessful :(
}
?>

Your mileage may vary with other languages, but this has worked for me.