As defined in RFC 4513.
5.1.1. Anonymous Authentication Mechanism of Simple Bind
An LDAP client may use the Anonymous Authentication Mechanism of the
simple Bind method to explicitly Establish an Anonymous Authorization
state by sending a Bind request with a name value of zero length and
specifying the simple Authentication Choice containing a password
value of zero length.
Translating, when using a valid credential (user) and using a password of size zero (or without sending password), an anonymous authorization is made.
This authorization, from the LDAP point of view, is configured to be allowed and may be limited as some operations may not be allowed through anonymous authentications.
You can configure the server to reject these types of settings or add password size validation together.
$bind = @ldap_bind($ldap_conn, $auth_user.$domain, $auth_pass) or exit("Erro em bind");
if (!$bind || strlen(trim($auth_pass)) == 0) exit('Usuário e/ou senha incorreto(s)!');
There are, in addition, other types of mechanisms such as the "Authentication Mechanism not Authenticated", where neither user nor password for bind is used:
5.1.2. Unauthenticated Authentication Mechanism of Simple Bind
An LDAP client may use the unauthenticated Authentication Mechanism of the simple Bind method to Establish an Anonymous Authorization state by sending a Bind request with a name value (a Distinguished name in LDAP string form [RFC4514] of non-zero length) and specifying the simple Authentication Choice containing a password value of zero length.
If your LDAP server allows this, you should also set it up or handle it in code.