# HG changeset patch
# User Alexandre Fayolle <alexandre.fayolle@logilab.fr>
# Date 1277541768 0
# Node ID e654c13b57b83f4d958a58f320ccf0826e7f3ffa
# Parent  4125a8021956089fd1421f77be39e0c5c72c0608
do not allow password-less bind: windows accepts this as Anonymous Logon

diff -r 4125a8021956 -r e654c13b57b8 server/sources/ldapuser.py
--- a/server/sources/ldapuser.py	Fri Jun 25 11:29:48 2010 +0200
+++ b/server/sources/ldapuser.py	Sat Jun 26 08:42:48 2010 +0000
@@ -293,7 +293,13 @@
             raise AuthenticationError()
         # check password by establishing a (unused) connection
         try:
-            self._connect(user, password)
+            if password:
+                self._connect(user, password)
+            else:
+                # On Windows + ADAM this would have succeeded (!!!)
+                # You get Authenticated as: 'NT AUTHORITY\ANONYMOUS LOGON'.
+                # we really really don't want that
+                raise Exception('No password provided')
         except Exception, ex:
             self.info('while trying to authenticate %s: %s', user, ex)
             # Something went wrong, most likely bad credentials