ldap: remove support for unauthenticated binds

by using the default empty string if no password was provided,
unauthenticated binds were possible. to bring pbs in-line with pve,
switch to throwing an error in this case instead. however, this will
break any pre-existing setup that relied on this behavior.

Signed-off-by: Stefan Sterz <s.sterz@proxmox.com>

proxmox-ldap/src/lib.rs

@@ -6,7 +6,7 @@ use std::{
     time::Duration,
 };
 
-use anyhow::{bail, Error};
+use anyhow::{bail, format_err, Error};
 use ldap3::adapters::{Adapter, EntriesOnly, PagedResults};
 use ldap3::{Ldap, LdapConnAsync, LdapConnSettings, LdapResult, Scope, SearchEntry};
 use native_tls::{Certificate, TlsConnector, TlsConnectorBuilder};
@@ -119,7 +119,11 @@ impl Connection {
         let mut ldap = self.create_connection().await?;
 
         if let Some(bind_dn) = self.config.bind_dn.as_deref() {
-            let password = self.config.bind_password.as_deref().unwrap_or_default();
+            let password = self
+                .config
+                .bind_password
+                .as_deref()
+                .ok_or_else(|| format_err!("Missing bind password for {bind_dn}"))?;
             let _: LdapResult = ldap.simple_bind(bind_dn, password).await?.success()?;
         }
 
@@ -254,7 +258,11 @@ impl Connection {
         let mut ldap = self.create_connection().await?;
 
         if let Some(bind_dn) = self.config.bind_dn.as_deref() {
-            let password = self.config.bind_password.as_deref().unwrap_or_default();
+            let password = self
+                .config
+                .bind_password
+                .as_deref()
+                .ok_or_else(|| format_err!("Missing bind password for {bind_dn}"))?;
             let _: LdapResult = ldap.simple_bind(bind_dn, password).await?.success()?;
 
             let user_dn = self.do_search_user_dn(username, &mut ldap).await;