From 7410822082f796ff4c828b8dee1fcc4f1a344a37 Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Thu, 23 Feb 2017 23:30:06 +0100
Subject: [PATCH] (ldap) disable anonymous binds

---
 src/opnsense/mvc/app/library/OPNsense/Auth/LDAP.php | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/src/opnsense/mvc/app/library/OPNsense/Auth/LDAP.php b/src/opnsense/mvc/app/library/OPNsense/Auth/LDAP.php
index 08b21839f..0bc8d403c 100644
--- a/src/opnsense/mvc/app/library/OPNsense/Auth/LDAP.php
+++ b/src/opnsense/mvc/app/library/OPNsense/Auth/LDAP.php
@@ -369,7 +369,10 @@ class LDAP extends Base implements IAuthConnector
     {
         // todo: implement SSL parts (legacy : ldap_setup_caenv)
         // authenticate user
-        if (array_key_exists($username, $this->userDNmap)) {
+        if (empty($password)) {
+            // prevent anonymous bind
+            return false;
+        } elseif (array_key_exists($username, $this->userDNmap)) {
             // we can map $username to distinguished name, just feed to connect
             $ldap_is_connected = $this->connect($this->ldapBindURL, $this->userDNmap[$username], $password);
             return $ldap_is_connected;