As defined in the RFC 4513 .
5.1.1. Anonymous Authentication Mechanism of Simple Bind
An LDAP client may use the anonymous authentication mechanism of the
simple Bind method to explicitly establish an anonymous authorization
state by sending a request with a name value of zero length and
specifying the simple authentication choice with a password
value of zero length.
Translating, when using a valid credential (user) and using a zero-sized password (or without sending a password), an anonymous authorization is performed.
This authorization, from the LDAP perspective, is configured to be allowed and may be limited, as some operations may not be permitted through anonymous authentication.
You can configure the server to reject these types of settings or add password length validation together.
$bind = @ldap_bind($ldap_conn, $auth_user.$domain, $auth_pass) or exit("Erro em bind");
if (!$bind || strlen(trim($auth_pass)) == 0) exit('Usuário e/ou senha incorreto(s)!');
There are, in addition, other types of mechanisms such as the "Authentication Authentication Mechanism", where neither user nor password is used for bind:
5.1.2. Unauthenticated Authentication Mechanism of Simple Bind
An LDAP client may use the unauthenticated authentication mechanism of the simple Bind method to establish an anonymous authorization state by sending a request with a name value (a distinguished name in LDAP string form [RFC4514] of non-zero length) and specifying the simple authentication choice containing the password value of zero length.
If your LDAP server allows this, you should also configure or treat it in code.
