diff --git a/shell.nix b/shell.nix
index 69546ffbe..f98506e41 100644
--- a/shell.nix
+++ b/shell.nix
@@ -19,7 +19,7 @@ let
   '';
 
   override = oldAttrs: {
-    nativeBuildInputs = oldAttrs.nativeBuildInputs ++ (with pkgs; [ postgresql pgadmin ]) ++ (with haskellPackages; [ stack yesod-bin hlint cabal-install ]);
+    nativeBuildInputs = oldAttrs.nativeBuildInputs ++ (with pkgs; [ postgresql pgadmin openldap ]) ++ (with haskellPackages; [ stack yesod-bin hlint cabal-install ]);
     shellHook = ''
       export PROMPT_INFO="${oldAttrs.name}"
 
diff --git a/src/Auth/LDAP.hs b/src/Auth/LDAP.hs
index 76f12ce89..5233faaf3 100644
--- a/src/Auth/LDAP.hs
+++ b/src/Auth/LDAP.hs
@@ -88,9 +88,14 @@ campusLogin conf@LdapConf{..} pool = AuthPlugin{..}
         FormMissing -> redirect LoginR
         FormSuccess CampusLogin{ campusIdent = CI.original -> campusIdent, ..} -> do
           ldapResult <- withLdap pool $ \ldap -> do
-            Ldap.bind ldap (Ldap.Dn campusIdent) (Ldap.Password $ Text.encodeUtf8 campusPassword)
             Ldap.bind ldap ldapDn ldapPassword
-            findUser conf ldap campusIdent [userPrincipalName]
+            searchResults <- findUser conf ldap campusIdent [userPrincipalName]
+            case searchResults of
+              [Ldap.SearchEntry (Ldap.Dn userDN) userAttrs] 
+                | Just [principalName] <- lookup userPrincipalName userAttrs
+                , Right credsIdent <- Text.decodeUtf8' principalName
+                -> Right (userDN, credsIdent) <$ Ldap.bind ldap (Ldap.Dn credsIdent) (Ldap.Password $ Text.encodeUtf8 campusPassword)
+              other -> return $ Left other
           case ldapResult of
             Left err
               | LdapError (Ldap.ResponseError (Ldap.ResponseErrorCode _ Ldap.InvalidCredentials _ _)) <- err
@@ -100,16 +105,11 @@ campusLogin conf@LdapConf{..} pool = AuthPlugin{..}
               | otherwise -> do
                   $logErrorS "LDAP" $ "Error during login: " <> tshow err
                   loginErrorMessageI LoginR Msg.AuthError
-            Right searchResults
-              | [Ldap.SearchEntry (Ldap.Dn userDN) userAttrs] <- searchResults
-              , Just [principalName] <- lookup userPrincipalName userAttrs
-              , Right credsIdent <- Text.decodeUtf8' principalName
-                -> do
-                  $logDebugS "LDAP" $ tshow searchResults
-                  lift . setCredsRedirect $ Creds apName credsIdent [("DN", userDN)]
-              | otherwise -> do
-                  $logWarnS "LDAP" $ "Could not extract principal name: " <> tshow searchResults
-                  loginErrorMessageI LoginR Msg.AuthError
+            Right (Right (userDN, credsIdent)) ->
+              lift . setCredsRedirect $ Creds apName credsIdent [("DN", userDN)]
+            Right (Left searchResults) -> do
+              $logWarnS "LDAP" $ "Could not extract principal name: " <> tshow searchResults
+              loginErrorMessageI LoginR Msg.AuthError
     apDispatch _ _ = notFound
     apLogin toMaster = do
       (login, loginEnctype) <- handlerToWidget . generateFormPost $ renderAForm FormStandard campusForm