diff --git a/src/externalldap.js b/src/externalldap.js
index 66f5d8006..dbf36a40c 100644
--- a/src/externalldap.js
+++ b/src/externalldap.js
@@ -254,9 +254,8 @@ async function search(identifier) {
     return users;
 }
 
-async function maybeCreateUser(identifier, password) {
+async function maybeCreateUser(identifier) {
     assert.strictEqual(typeof identifier, 'string');
-    assert.strictEqual(typeof password, 'string');
 
     const externalLdapConfig = await settings.getExternalLdapConfig();
     if (externalLdapConfig.provider === 'noop') throw new BoxError(BoxError.BAD_STATE, 'not enabled');
@@ -269,13 +268,14 @@ async function maybeCreateUser(identifier, password) {
     const user = translateUser(externalLdapConfig, ldapUsers[0]);
     if (!validUserRequirements(user)) throw new BoxError(BoxError.BAD_FIELD);
 
-    const [error] = await safe(users.add(user.email, { username: user.username, password: null, displayName: user.displayName, source: 'ldap' }, AuditSource.EXTERNAL_LDAP_AUTO_CREATE));
+    const [error, userId] = await safe(users.add(user.email, { username: user.username, password: null, displayName: user.displayName, source: 'ldap' }, AuditSource.EXTERNAL_LDAP_AUTO_CREATE));
     if (error) {
         debug(`maybeCreateUser: failed to auto create user ${user.username}`, error);
         throw error;
     }
 
-    return user;
+    // fetch the full record
+    return await users.get(userId);
 }
 
 async function verifyPassword(user, password) {
diff --git a/src/routes/accesscontrol.js b/src/routes/accesscontrol.js
index 3a174da32..9b1839f95 100644
--- a/src/routes/accesscontrol.js
+++ b/src/routes/accesscontrol.js
@@ -31,9 +31,9 @@ async function passwordAuth(req, res, next) {
 
     let [error, user] =  await safe(verifyFunc(username, password, users.AP_WEBADMIN));
     if (error && error.reason === BoxError.NOT_FOUND) {
-        [error, user] = await safe(externalLdap.maybeCreateUser(username.toLowerCase(), password));
+        [error, user] = await safe(externalLdap.maybeCreateUser(username.toLowerCase()));
         if (error) return next(new HttpError(401, 'Unauthorized'));
-        [error] = await safe(externalLdap.verifyPassword(user));
+        [error] = await safe(externalLdap.verifyPassword(user, password));
         if (error) return next(new HttpError(401, 'Unauthorized'));
     }
     if (error && error.reason === BoxError.INVALID_CREDENTIALS) return next(new HttpError(401, 'Unauthorized'));
diff --git a/src/test/externalldap-test.js b/src/test/externalldap-test.js
index a134d7c60..a59c06c68 100644
--- a/src/test/externalldap-test.js
+++ b/src/test/externalldap-test.js
@@ -535,16 +535,12 @@ describe('External LDAP', function () {
         });
 
         it('succeeds for known user with correct password', async function () {
-            const newUser = {
+            gLdapUsers.push({
                 username: 'autologinuser2',
                 displayName: 'Auto Login2',
                 email: 'auto2@login.com',
                 password: LDAP_SHARED_PASSWORD
-            };
-
-            gLdapUsers.push(newUser);
-
-            await users.add(newUser.email, newUser, auditSource);
+            });
 
             const response = await superagent.post(`${serverUrl}/api/v1/cloudron/login`)
                 .send({ username: 'autologinuser2', password: LDAP_SHARED_PASSWORD })