nodejs with ldapjs authentication possible without password

Question

I gonna write a API which get a Username and password from the Front-End. This username and password get passed into my LDAP bind and should get checked if these informations are correct. Now I got the problem when the use types a wrong password I get the correct error code 49 for invalid credentials. But when the user just enter his username and nothing into password, then LDAP is automatically accepting it and passes through the authentication. Can maybe someone help me or give me an advice whats wrong?

const ldap = require('ldapjs');
var client = ldap.createClient({
  url: `ldap://${process.env.LDAP_HOST}:${process.env.LDAP_PORT}`
});
function ldapauth(dn, password, callback) {
var serverStatus;

//dn = entry.object.dn from another ldap query

client.bind(dn, password, function(err, res) {
    if(err) {
        console.log(['Error:',err.code, err.dn, err.message]);
        serverStatus = err.code;
        client.unbind();
        return callback (serverStatus);
    } else {
        console.log('Auth Status: ' + res.status);
        if(res.status == 0) {
            serverStatus = res.status;
        } else {
            serverStatus = 500;
        }
        client.unbind();
        return callback(serverStatus);
     };
  });
}

This is my output which I get when the password is empty

Answer 1

The activedirectory package solves this by returning an error if no password is supplied:

if ((! username) || (! password)) {
    var err = {
      'code': 0x31,
      'errno': 'LDAP_INVALID_CREDENTIALS',
      'description': 'The supplied credential is invalid'
    };
    return(callback(err, false));
}

Here is the code: https://github.com/gheeres/node-activedirectory/blob/master/lib/activedirectory.js#L1803

More info about the bind command: https://ldap.com/the-ldap-bind-operation/
This sounds like is the cause of your issue:

An anonymous simple bind can be performed by providing empty strings as the bind DN and password (technically, the LDAPv3 specification states that only the password must be empty, but this has been responsible for many security problems with LDAP clients in the past, and many servers require that if an empty password is provided then an empty DN must also be given).