diff --git a/src/accesscontrol.js b/src/accesscontrol.js
index c7af36bf0..d2bc03628 100644
--- a/src/accesscontrol.js
+++ b/src/accesscontrol.js
@@ -132,11 +132,8 @@ function validateToken(accessToken, callback) {
             scopesForUser(user, function (error, userScopes) {
                 if (error) return callback(error);
 
-                var authorizedScopes = intersectScopes(userScopes, token.scope.split(','));
-                const skipPasswordVerification = token.clientId === 'cid-sdk' || token.clientId === 'cid-cli'; // these clients do not require password checks unlike UI
-                var info = { authorizedScopes: authorizedScopes, skipPasswordVerification: skipPasswordVerification }; // ends up in req.authInfo
-
-                callback(null, user, info);
+                const authorizedScopes = intersectScopes(userScopes, token.scope.split(','));
+                callback(null, user, { authorizedScopes }); // ends up in req.authInfo
             });
         });
     });
diff --git a/src/externalldap.js b/src/externalldap.js
index 07d63e9f8..fb74f2890 100644
--- a/src/externalldap.js
+++ b/src/externalldap.js
@@ -201,13 +201,15 @@ function sync(progressCallback, callback) {
 
             // we ignore all errors here and just log them for now
             async.eachSeries(ldapUsers, function (user, iteratorCallback) {
+const delayedCallback = (error) => setTimeout(iteratorCallback, 40000);
+
                 const username = user[externalLdapConfig.usernameField];
                 const email = user.mail;
                 const displayName = user.cn; // user.giveName + ' ' + user.sn
 
                 if (!username || !email || !displayName) {
                     debug(`[empty username/email/displayName] username=${username} email=${email} displayName=${displayName} usernameField=${externalLdapConfig.usernameField}`);
-                    return iteratorCallback();
+                    return delayedCallback();
                 }
 
                 percent += step;
@@ -216,7 +218,7 @@ function sync(progressCallback, callback) {
                 users.getByUsername(username, function (error, result) {
                     if (error && error.reason !== BoxError.NOT_FOUND) {
                         debug(`Could not find user with username ${username}: ${error.message}`);
-                        return iteratorCallback();
+                        return delayedCallback();
                     }
 
                     if (error) {
@@ -224,25 +226,25 @@ function sync(progressCallback, callback) {
 
                         users.create(username, null /* password */, email, displayName, { source: 'ldap' }, auditSource.EXTERNAL_LDAP_TASK, function (error) {
                             if (error) console.error('Failed to create user', user, error);
-                            iteratorCallback();
+                            delayedCallback();
                         });
                     } else if (result.source !== 'ldap') {
                         debug(`[conflicting user] username=${username} email=${email} displayName=${displayName}`);
 
-                        iteratorCallback();
+                        delayedCallback();
                     } else if (result.email !== email || result.displayName !== displayName) {
                         debug(`[updating user] username=${username} email=${email} displayName=${displayName}`);
 
                         users.update(result.id, { email: email, fallbackEmail: email, displayName: displayName }, auditSource.EXTERNAL_LDAP_TASK, function (error) {
                             if (error) debug('Failed to update user', user, error);
 
-                            iteratorCallback();
+                            delayedCallback();
                         });
                     } else {
                         // user known and up-to-date
                         debug(`[up-to-date user] username=${username} email=${email} displayName=${displayName}`);
 
-                        iteratorCallback();
+                        delayedCallback();
                     }
                 });
             }, function (error) {
diff --git a/src/routes/test/apps-test.js b/src/routes/test/apps-test.js
index 8a040da5d..67381b42a 100644
--- a/src/routes/test/apps-test.js
+++ b/src/routes/test/apps-test.js
@@ -211,7 +211,7 @@ function startBox(done) {
                     token_1 = hat(8 * 32);
 
                     // HACK to get a token for second user (passwords are generated and the user should have gotten a password setup link...)
-                    tokendb.add({ id: 'tid-1', accessToken: token_1, identifier: user_1_id, clientId: 'cid-sdk', expires: Date.now() + 1000000, scope: 'apps', name: '' }, callback); // cid-sdk means we don't need to send password
+                    tokendb.add({ id: 'tid-1', accessToken: token_1, identifier: user_1_id, clientId: 'cid-sdk', expires: Date.now() + 1000000, scope: 'apps', name: '' }, callback);
                 });
         },
 
diff --git a/src/routes/users.js b/src/routes/users.js
index 518c5651f..6dbfcb0db 100644
--- a/src/routes/users.js
+++ b/src/routes/users.js
@@ -120,8 +120,6 @@ function remove(req, res, next) {
 function verifyPassword(req, res, next) {
     assert.strictEqual(typeof req.body, 'object');
 
-    if (req.authInfo.skipPasswordVerification) return next(); // using an 'sdk' token we skip password checks
-
     if (typeof req.body.password !== 'string') return next(new HttpError(400, 'API call requires user password'));
 
     users.verifyWithUsername(req.user.username, req.body.password, function (error) {