Matthew Daley reported an issue in Horde LDAP where, if a user knew the LDAP bind user's DN, they could login without supplying a password. This has been fixed in version 2.0.6: https://github.com/horde/horde/commit/8f719b53b0ee2d4b8a40a770430683c98fb5f2fd https://github.com/horde/horde/commit/4c3e18f1724ab39bfef10c189a5b52036a744d55 It has been fixed in Fedora via bug 1104961, and EPEL 6 via bug 1104962. Full details available in http://seclists.org/oss-sec/2014/q2/504