diff --git a/src/proxyauth.js b/src/proxyauth.js
index 0ce1ad95a..e9c5bb69e 100644
--- a/src/proxyauth.js
+++ b/src/proxyauth.js
@@ -15,6 +15,7 @@ const apps = require('./apps.js'),
     debug = require('debug')('box:proxyAuth'),
     ejs = require('ejs'),
     express = require('express'),
+    externalLdap = require('./externalLdap.js'),
     hat = require('./hat.js'),
     http = require('http'),
     HttpError = require('connect-lastmile').HttpError,
@@ -170,8 +171,13 @@ async function passwordAuth(req, res, next) {
     if (!user.ghost && !user.appPassword && user.twoFactorAuthenticationEnabled) {
         if (!totpToken) return next(new HttpError(403, 'A totpToken must be provided'));
 
-        let verified = speakeasy.totp.verify({ secret: user.twoFactorAuthenticationSecret, encoding: 'base32', token: req.body.totpToken, window: 2 });
-        if (!verified) return next(new HttpError(403, 'Invalid totpToken'));
+        if (user.source === 'ldap') {
+            const [error] = await safe(externalLdap.verifyPasswordAndTotpToken(user, password, totpToken));
+            if (error) return next(new HttpError(401, 'Invalid totpToken'));
+        } else {
+            const verified = speakeasy.totp.verify({ secret: user.twoFactorAuthenticationSecret, encoding: 'base32', token: req.body.totpToken, window: 2 });
+            if (!verified) return next(new HttpError(401, 'Invalid totpToken'));
+        }
     }
 
     req.user = user;