From 3f9556c336457ee71d617f85b0fd5a945421314f Mon Sep 17 00:00:00 2001
From: Peter Hollows <peter.hollows@gmail.com>
Date: Thu, 29 Jun 2017 16:19:54 +1000
Subject: [PATCH] Add explicit notes around passwordless simple auth

See: https://tools.ietf.org/html/rfc4513#section-5.1.2
---
 lib/net/ldap.rb | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/lib/net/ldap.rb b/lib/net/ldap.rb
index f7a98ef5..6992aa8a 100644
--- a/lib/net/ldap.rb
+++ b/lib/net/ldap.rb
@@ -814,6 +814,12 @@ def search(args = {})
   # unrecognized usernames and incorrect passwords. Use
   # #get_operation_result to find out what happened in case of failure.
   #
+  # Note: When using the simple authentication method, some A/D configurations
+  # will return success for a bind when no password is supplied! (this is the
+  # "Unauthenticated Authentication Mechanism of Simple Bind" covered under
+  # RFC4513 section 5.1.2). It's recommended to validate the presence of the
+  # password supplied when assuming a bind is authenticated.
+  #
   # Here's a typical example using #bind to authenticate a credential which
   # was (perhaps) solicited from the user of a web site:
   #
@@ -823,7 +829,11 @@ def search(args = {})
   #  ldap.port = 389
   #  ldap.auth your_user_name, your_user_password
   #  if ldap.bind
-  #    # authentication succeeded
+  #    if your_user_password.size > 0
+  #      # authentication succeeded
+  #    else
+  #      # unauthenticated bind succeeded
+  #    end
   #  else
   #    # authentication failed
   #    p ldap.get_operation_result