Tobias Schneider discovered that libspring-ldap-java, a Java library for Spring-based applications using the Lightweight Directory Access Protocol, would under some circumstances allow authentication with a correct username but an arbitrary password.