A JNDI LDAP configuration was found where authentication was disabled.
This is highly discouraged, as it means the LDAP binding is accessible to any client that has its address.
Simple authentication in LDAP can be used with three different mechanisms:
Anonymous binds and unauthenticated binds allow access to information in the LDAP directory without providing a password, their use is therefore strongly discouraged.
// Set up the environment for creating the initial context
Hashtable<String, Object> env = new Hashtable<String, Object>();
env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.PROVIDER_URL, "ldap://localhost:389/o=JNDITutorial");
// Use anonymous authentication
env.put(Context.SECURITY_AUTHENTICATION, "none"); // Insecure
// Create the initial context
DirContext ctx = new InitialDirContext(env);
Hashtable<String, Object> env = new Hashtable<String, Object>();
env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.PROVIDER_URL, "ldap://localhost:389/o=JNDITutorial");
// Use simple authentication
env.put(Context.SECURITY_AUTHENTICATION, "simple");
env.put(Context.SECURITY_PRINCIPAL, "cn=S. User, ou=NewHires, o=JNDITutorial");
env.put(Context.SECURITY_CREDENTIALS, getLDAPPassword());
// Create the initial context
DirContext ctx = new InitialDirContext(env);
Simple authentication alone does not guarantee security however, since LDAP does not also provide encryption or validation. Use LDAP over a secure connection (see LDAPS) for best results.