Index: accounts/backends.py
===================================================================
--- accounts/backends.py	(revision 1550)
+++ accounts/backends.py	(working copy)
@@ -61,16 +61,25 @@
     """
 
     def authenticate(self, username, password):
+        if not len(password):
+            # Reject empty passwords, else authentication would always succeed
+            # because in LDAP a bind request with an empty password is an
+            # anonymous bind request.
+            return None
         try:
             import ldap
             ldapo = ldap.initialize(settings.LDAP_URI)
             ldapo.set_option(ldap.OPT_PROTOCOL_VERSION, 3)
             if settings.LDAP_TLS:
                 ldapo.start_tls_s()
-            ldapo.simple_bind_s(settings.LDAP_UID_MASK % username, password)
-
+            ldapo.simple_bind_s(settings.LDAP_ANON_BIND_UID,
+                settings.LDAP_ANON_BIND_PASSWD)
+            base_dn = "OU=my_unit,DC=my_organization,DC=my_tld"
+            passwd = ldapo.search_s(base_dn,
+                ldap.SCOPE_SUBTREE, settings.LDAP_UID_MASK % username)
+            dn = passwd[0][0]
+            ldapo.simple_bind_s(dn, password)
             return self.get_or_create_user(username)
-
         except ImportError:
             pass
         except ldap.INVALID_CREDENTIALS:
@@ -88,8 +97,9 @@
                     ldapo.start_tls_s()
                 ldapo.simple_bind_s(settings.LDAP_ANON_BIND_UID, settings.LDAP_ANON_BIND_PASSWD)
 
-                passwd = ldapo.search_s(settings.LDAP_UID_MASK % username,
-                                        ldap.SCOPE_SUBTREE, "objectclass=*")
+                base_dn = "OU=my_unit,DC=my_organization,DC=my_tld"
+                passwd = ldapo.search_s(base_dn,
+                  ldap.SCOPE_SUBTREE, settings.LDAP_UID_MASK % username)
 
                 first_name = passwd[0][1]['givenName'][0]
                 last_name = passwd[0][1]['sn'][0]