Protecting resource with Web Agent, when user give as username a blank value, then we see the LDAP search done on all users in the LDAP User Store
The problem is that the LDAP server being too permissive, as the Policy Server does not try all the users, but a null value to the user id lead the LDAP filter to be applied on the server side to all available data on the LDAP server as the snippet shows:
[19862/39][Thu Oct 31 2013 07:48:53]
CSmDsLdapProvider::Search(): Wrong syntax of LDAP
This is due to a lack in the configuration of the User Store as reported in some place on the internet:
In the event that a client transmits a BIND request with a null name and a non-null password, the server behavior is undefined by the standard, therefore, the server should be configured to reject this type of BIND request and set the result code in the BIND response to '53' (unwillingToPerform) since no authentication takes place. This type of BIND request might be transmitted by a client intending an anonymous BIND request but with leftover text in the password field.