We're using ldap authentication with authorization mapping ldap groups to roles, and stumbled on a strange behavior.
If you attempt to login with an incorrect password, it correctly rejects you and returns you to the login screen. However, if you attempt to login and leave the password blank, it triggers a different form error indicating the password may not be blank -- but it also successfully creates a user session -- which means you can navigate to pages as if you had logged in.
To make sure there wasn't something odd going on with our Drupal installation or core settings, I disabled ldap and logged in as a standard Drupal user -- it correctly redirects me to the login and prevents a session in either scenario. So something in the ldap config or code is causing this to happen. I've combed through the config but can't find anything that might cause this. Anyone else run into it?