php - How do I disallow anonymous ldap login?

Question

I have the following:

class LDAPConnection {

    private $ldapServers = array(
        "ldap://serv1", "ldap://serv2"
    );
    private $ldapUsername = "DOMAIN\%s";

    function login($username, $password)    {
        $user = sprintf($this->ldapUsername, $username);
        // Make sure password is not empty (http://stackoverflow.com/a/172042/561731)
        if(!empty($password))   {
            foreach($this->ldapServers as $server)  {
                try {
                    $ldap = ldap_connect($server);
                    ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3);
                    if($bind = ldap_bind($ldap, $user, $password))  {
                        // log them in
                        return true;
                    }
                }
                catch(ErrorException $e)   {
                    // do nothing
                }
            }
        }
        return false;
    }
}

As you can see I first make sure that the $password is not empty then I attempt the ldap connection, because if I do not do that, then ldap assumes that I want to do an anonymous connection and returns true.

How do I prevent that? Is my only option like I did above and I have to check to make sure that the password isn't empty? Or is there a better way?

Answer 1

Disabling anonymous login shouldn't be done at your application layer. It should be done at the actual LDAP server itself.

Prohibiting anonymous login at your application layer to me seems like a band-aid because anyone can always use any LDAP client to log into your LDAP server if anonymous login is enabled on the server itself.