When using v1.20 of the Active Directory plugin and the latest version of Jenkins (v1.456 as of submission of this bug report) Jenkins allows for password-less authentication.

I realize that v1.20 is an old version of the plugin but many users (including myself) are not upgrading to the latest version due to known bugs with group based LDAP/AD authentication.

We should put a message/disclaimer on the Active Directory wiki page stating that users should upgrade to the latest version to avoid this issue.