vesse
commented
8 years ago A valid point probably - before 1.0.0 release ldapjs did require a password for bind, but this was removed there to be able to bind anonymously (mcavage/node-ldapjs#254) (note: LDAP server also needs to be configured to allow anonymous binds). Since this library is an authentication library it probably should require user password like passport-ldapauth does.
I just logged in to my application without using a password and learned that the
authenticatemethod doesn't require a password because it will just bind anonymously.Is this really the intended behavior?
I can perform the check for an empty password myself, I was just wondering if this was missed somehow and others have the same security hole in their system.