Turns out that passing null as username and password in ldap_bind()

breaks anonymous ldap_bind().  Sigh.  Be a little more careful.

modules/ldap/config/identity.php

@@ -41,7 +41,7 @@ $config["ldap"] = array(
     "url" => "ldaps://ldap.corp.google.com/",
     "group_domain" => "ou=Posix,ou=Groups,dc=google,dc=com",
     "user_domain" => "ou=People,dc=google,dc=com",
-    "bind_rdn" => NULL,
-    "bind_password" => NULL,
+    "bind_rdn" => null,
+    "bind_password" => null,
   )
 );

modules/ldap/libraries/drivers/IdentityProvider/Ldap.php

@@ -31,7 +31,11 @@ class IdentityProvider_Ldap_Driver implements IdentityProvider_Driver {
     self::$_params = $params;
     self::$_connection = ldap_connect(self::$_params["url"]);
     ldap_set_option(self::$_connection, LDAP_OPT_PROTOCOL_VERSION, 3);
-    ldap_bind(self::$_connection, self::$_params["bind_rdn"], self::$_params["bind_password"]);
+    if (self::$_params["bind_rdn"]) {
+      ldap_bind(self::$_connection, self::$_params["bind_rdn"], self::$_params["bind_password"]);
+    } else {
+      ldap_bind(self::$_connection);
+    }
   }
 
   /**