fschulze
commented
10 years ago I think you are right, a reject_as_unknown option seems to be the only workable solution. This would also apply to the "empty password" reject, which in some setups may make sense as well.
Hi,
the way we have our ldap setup, we try to bind as the user logging in
however, this means that we can't distinguish between "bad credentials" and "unknown user". with the current implementation we always get "reject", which prevents other plugins (or indeed the default auth backend) from getting a chance to authenticate users
not sure what the best way to fix is; possibly a config option with the effect of returning "unknown" instead of "reject" when the bind fails?