The LDAP Realm used for the management interfaces and Remoting connectors is incorrectly accepting empty passwords as being valid.

Verification of the remote user is performed by attempting to bind to LDAP using the credentials supplied by the remote user, a successful bind is taken to mean that the supplied credentials are correct.

However some LDAP servers (Active Directory is one example) allow the empty password as an anonymous binding, this means that the realm assumes the password was correct whilst the LDAP server did not validate the password.

This Jira issue is to change the default behaviour so empty passwords are not accepted at all and to add a configuration attribute to allow the use of empty passwords should they really be desired.