LDAP 绑定似乎返回 true 并带有空白密码

如果提供空密码，则向目录服务器指示您正在执行匿名简单绑定。 RFC 2251 第 4.2.2 节中描述了此行为：

 If no authentication is to be performed, then the simple
 authentication option MUST be chosen, and the password be of zero
 length.  (This is often done by LDAPv2 clients.)  Typically the DN is
 also of zero length.

这可能是LDAP客户端中一个非常常见的安全漏洞，因为如果他们不验证用户是否提供了非空密码，而是尝试使用非空DN和空密码绑定，那么当服务器没有绑定为提供的DN指定的用户而是匿名绑定时，他们可以看到它成功了。 由于这是 LDAP 客户端中常见的安全问题，因此某些服务器拒绝具有非空 DN 但密码为空的绑定请求，最新的 LDAPv3 规范鼓励此行为，如 RFC 4513 第 5.1.2 节所示：

 An LDAP client may use the unauthenticated authentication mechanism
 of the simple Bind method to establish an anonymous authorization
 state by sending a Bind request with a name value (a distinguished
 name in LDAP string form [RFC4514] of non-zero length) and specifying
 the simple authentication choice containing a password value of zero
 length.
 The distinguished name value provided by the client is intended to be
 used for trace (e.g., logging) purposes only.  The value is not to be
 authenticated or otherwise validated (including verification that the
 DN refers to an existing directory object).  The value is not to be
 used (directly or indirectly) for authorization purposes.
 Unauthenticated Bind operations can have significant security issues
 (see Section 6.3.1).  In particular, users intending to perform
 Name/Password Authentication may inadvertently provide an empty
 password and thus cause poorly implemented clients to request
 Unauthenticated access.  Clients SHOULD be implemented to require
 user selection of the Unauthenticated Authentication Mechanism by
 means other than user input of an empty password.  Clients SHOULD
 disallow an empty password input to a Name/Password Authentication
 user interface.  Additionally, Servers SHOULD by default fail
 Unauthenticated Bind requests with a resultCode of
 unwillingToPerform.

听起来您的服务器没有这样做。 如果它可以选择这样做，那么我强烈建议打开它。 但无论如何，使用简单绑定操作来验证用户凭据的设计良好的 LDAP 客户端应该绝对验证用户是否提供了非空字符串，然后再尝试使用它绑定到服务器。