If you call the ldap_bind() with an empty password, the return value is true for an unauthenticated access. You find a nice article at http://stackoverflow.com/questions/13838324/ldap-authentication-in-php-authenticated-without-giving-a-password that describe the whole problem in all cases.
So the ldap.php at backend/AUTH/methode must be changed in line 45.
Old:
if ($info["nbResultats"]!=1)
New:
if (($info["nbResultats"]!=1)||($pw=='')||($info[0]["dn"]==''))
After that changes the access is denied if the user name or password is empty!
Martin