Comment 12 for bug 1188475

About comment 6- in my opinion this highly depends on your implementation and policy.
I work for not so large company, I'd say small - just about 4200 employers-, so our policy can be wrong - it says not show users their rights, i.e. intruder needs to try ;-)
From another point of view- ldap connection credentials are supplied in config, so application have to use them, not others.
Your point of view is right too- as I said this depends on your policy.
Thank you!