diff --git a/src/apps.js b/src/apps.js
index d7880f3bb..3297ae490 100644
--- a/src/apps.js
+++ b/src/apps.js
@@ -10,6 +10,7 @@ exports = module.exports = {
     get: get,
     getByContainerId: getByContainerId,
     getByIpAddress: getByIpAddress,
+    getByFqdn: getByFqdn,
     getAll: getAll,
     getAllByUser: getAllByUser,
     install: install,
@@ -477,6 +478,20 @@ function getByIpAddress(ip, callback) {
     });
 }
 
+function getByFqdn(fqdn, callback) {
+    assert.strictEqual(typeof fqdn, 'string');
+    assert.strictEqual(typeof callback, 'function');
+
+    getAll(function (error, result) {
+        if (error) return callback(error);
+
+        var app = result.find(function (a) { return a.fqdn === fqdn; });
+        if (!app) return callback(new AppsError(AppsError.NOT_FOUND, 'No such app'));
+
+        callback(null, app);
+    });
+}
+
 function getAll(callback) {
     assert.strictEqual(typeof callback, 'function');
 
diff --git a/src/ldap.js b/src/ldap.js
index 87145ff55..7cd4e8e3d 100644
--- a/src/ldap.js
+++ b/src/ldap.js
@@ -519,33 +519,33 @@ function userSearchProftpd(req, res, next) {
     if (parts.length !== 2) return next(new ldap.NoSuchObjectError(req.dn.toString()));
 
     var username = parts[0];
-    var appDomain = parts[1];
+    var appFqdn = parts[1];
 
-    apps.getAll(function (error, result) {
+    apps.getByFqdn(appFqdn, function (error, app) {
         if (error) return next(new ldap.OperationsError(error.toString()));
 
-        var app = result.find(function (a) { return a.fqdn === appDomain; });
-        if (!app) return next(new ldap.NoSuchObjectError(req.dn.toString()));
-
-        users.getByUsername(username, function (error, result) {
+        users.getByUsername(username, function (error, user) {
             if (error) return next(new ldap.OperationsError(error.toString()));
 
-            var dn = ldap.parseDN(`cn=${username}@${appDomain},ou=proftpd,dc=cloudron`);
+            apps.hasAccessTo(app, user, function (error, hasAccess) {
+                if (error) return next(new ldap.OperationsError(error.toString()));
+                if (!hasAccess) return next(new ldap.InsufficientAccessRightsError('Not authorized'));
 
-            var obj = {
-                dn: dn.toString(),
-                attributes: {
-                    homeDirectory: path.join(paths.APPS_DATA_DIR, app.id, 'data'),
-                    objectclass: ['user'],
-                    objectcategory: 'person',
-                    cn: result.id,
-                    uid: `${result.username}@${appDomain}`, // for bind after search
-                    uidNumber: 1000,    // unix uid for ftp access
-                    gidNumber: 1000     // unix gid for ftp access
-                }
-            };
+                var obj = {
+                    dn: ldap.parseDN(`cn=${username}@${appFqdn},ou=proftpd,dc=cloudron`).toString(),
+                    attributes: {
+                        homeDirectory: path.join(paths.APPS_DATA_DIR, app.id, 'data'),
+                        objectclass: ['user'],
+                        objectcategory: 'person',
+                        cn: user.id,
+                        uid: `${username}@${appFqdn}`,  // for bind after search
+                        uidNumber: 1000,                // unix uid for ftp access
+                        gidNumber: 1000                 // unix gid for ftp access
+                    }
+                };
 
-            finalSend([ obj ], req, res, next);
+                finalSend([ obj ], req, res, next);
+            });
         });
     });
 }