You should NOT attempt to bind with a made up password. However small the chance, the chance remains that your code produces a valid password. The correct behaviour is to test for an empty password, and if your application will only service authenticated users, not perform any more LDAP operations on behalf of the user - this also happens to be more efficient.