diff --git a/frontend/src/metabase/admin/settings/selectors.js b/frontend/src/metabase/admin/settings/selectors.js
index e0312348473fb79e52dcb9e0de97578a1317e82c..e17dc3192623455416687e52234098c26e6cb4bd 100644
--- a/frontend/src/metabase/admin/settings/selectors.js
+++ b/frontend/src/metabase/admin/settings/selectors.js
@@ -180,7 +180,7 @@ const SECTIONS = [
                 display_name: "LDAP Security",
                 description: null,
                 type: "radio",
-                options: { none: "None", ssl: "SSL", tls: "TLS" },
+                options: { none: "None", ssl: "SSL", starttls: "StartTLS" },
                 defaultValue: 'none'
             },
             {
diff --git a/src/metabase/api/session.clj b/src/metabase/api/session.clj
index 3ae46fbe2783dc0382f444ac1aad1a393b3335a6..91cb2d72edd0161ff967cb64924a206f917d60c6 100644
--- a/src/metabase/api/session.clj
+++ b/src/metabase/api/session.clj
@@ -55,6 +55,7 @@
     ;; First try LDAP if it's enabled
     (when (ldap/ldap-configured?)
       (when-let [{:keys [first-name last-name email], :as user-info} (ldap/find-user username)]
+        (println user-info)
         (if (ldap/verify-password user-info password)
           (ldap-fetch-or-create-user! first-name last-name email password)
           ;; Since LDAP knows about our user, fail fast here to prevent the local strategy to be tried with a potentially outdated password
diff --git a/src/metabase/integrations/ldap.clj b/src/metabase/integrations/ldap.clj
index 0d3aa9a65cbe1aebcbe65535bd09787c7f9b1fd7..1a1189308a898c0d2f9a5078120f8c0516c5cdae 100644
--- a/src/metabase/integrations/ldap.clj
+++ b/src/metabase/integrations/ldap.clj
@@ -15,7 +15,7 @@
   :default "none"
   :setter  (fn [new-value]
              (when-not (nil? new-value)
-               (assert (contains? #{"none" "ssl" "tls"} new-value)))
+               (assert (contains? #{"none" "ssl" "starttls"} new-value)))
              (setting/set-string! :ldap-security new-value)))
 
 (defsetting ldap-bind-dn
@@ -57,7 +57,7 @@
                  :bind-dn   (ldap-bind-dn)
                  :password  (ldap-password)
                  :ssl?      (= (ldap-security) "ssl")
-                 :startTLS? (= (ldap-security) "tls")}))
+                 :startTLS? (= (ldap-security) "starttls")}))
 
 (defn- with-connection [f & args]
   "Applies `f` with a connection pool followed by `args`"
@@ -80,27 +80,19 @@
           email-attr (keyword (ldap-attribute-email))]
       (when-let [[result] (ldap/search conn (ldap-base) {:scope      :sub
                                                          :filter     (s/replace (ldap-user-filter) "{login}" (escape-value username))
-                                                         :attributes [:dn :distinguishedName fname-attr lname-attr email-attr]
+                                                         :attributes [:dn :distinguishedName :membderOf fname-attr lname-attr email-attr]
                                                          :size-limit 1})]
-        {:dn         (or (:dn result) (:distinguishedName result)) ; TODO - Check if AD also provides "dn"
+        {:dn         (or (:dn result) (:distinguishedName result))
          :first-name (get result fname-attr)
          :last-name  (get result lname-attr)
-         :email      (get result email-attr)}))))
-
-(defn auth-user
-  "Authenticates the user with an LDAP bind operation. Returns the user information when successful, nil otherwise."
-  ([username password]
-    (with-connection auth-user username password))
-  ([conn username password]
-    ;; first figure out the user even exists, we also need the DN to reliably bind with LDAP
-    (when-let [{:keys [dn], :as user} (find-user conn username)]
-      ;; then try a bind with the DN we got and the supplied password
-      (when (ldap/bind? conn dn password)
-        user))))
+         :email      (get result email-attr)
+         :groups     (or (:membderOf result) [])}))))
 
 (defn verify-password
-  "Verifies if the password supplied is correct. `user-info` is what `find-user` returns (alternarively only the :dn needs to be filled in)"
+  "Verifies if the password supplied is valid for the supplied `user-info` (from `find-user`) or DN."
   ([user-info password]
     (with-connection verify-password user-info password))
-  ([conn {:keys [dn]} password]
-    (ldap/bind? conn dn password)))
+  ([conn user-info password]
+    (if (string? user-info)
+      (ldap/bind? conn user-info password)
+      (ldap/bind? conn (:dn user-info) password))))
diff --git a/src/metabase/models/user.clj b/src/metabase/models/user.clj
index f18bddaa74a2a06bac9f8642ef3a4c884386287e..a1bf89f09b6a930e512a32f580ae3ffbdd6191a8 100644
--- a/src/metabase/models/user.clj
+++ b/src/metabase/models/user.clj
@@ -142,14 +142,14 @@
     (email/send-user-joined-admin-notification-email! <>, :google-auth? true)))
 
 (defn create-new-ldap-auth-user!
-  "Convenience for creating a new user via Google Auth. This account is considered active immediately; thus all active admins will recieve an email right away."
-  [first-name last-name email-address]
+  "Convenience for creating a new user via LDAP. This account is considered active immediately; thus all active admins will recieve an email right away."
+  [first-name last-name email-address password]
   {:pre [(string? first-name) (string? last-name) (u/is-email? email-address)]}
   (u/prog1 (db/insert! User
              :email      email-address
              :first_name first-name
              :last_name  last-name
-             :password   (str (UUID/randomUUID))
+             :password   password
              :ldap_auth  true)
     ;; send an email to everyone including the site admin if that's set
     (email/send-user-joined-admin-notification-email! <>, :ldap-auth? true)))