From 2cfdce88e0b66bc6d6a52507ab682be76289aa6f Mon Sep 17 00:00:00 2001
From: Mateusz Hromada <ruandus@gmail.com>
Date: Wed, 21 Dec 2016 09:43:37 +0100
Subject: [PATCH] Check for zero length passwords in LDAP module. (#3827)

---
 modules/auth/ldap/ldap.go | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/modules/auth/ldap/ldap.go b/modules/auth/ldap/ldap.go
index cb50fceb..f6feb07a 100644
--- a/modules/auth/ldap/ldap.go
+++ b/modules/auth/ldap/ldap.go
@@ -150,6 +150,11 @@ func bindUser(l *ldap.Conn, userDN, passwd string) error {
 
 // searchEntry : search an LDAP source if an entry (name, passwd) is valid and in the specific filter
 func (ls *Source) SearchEntry(name, passwd string, directBind bool) (string, string, string, string, bool, bool) {
+	// See https://tools.ietf.org/search/rfc4513#section-5.1.2
+	if len(passwd) == 0 {
+		log.Debug("Auth. failed for %s, password cannot be empty")
+		return "", "", "", "", false, false
+	}
 	l, err := dial(ls)
 	if err != nil {
 		log.Error(4, "LDAP Connect error, %s:%v", ls.Host, err)