diff --git a/dashboard/src/views/user-settings.js b/dashboard/src/views/user-settings.js
index 242250ffd..b00a2d2ad 100644
--- a/dashboard/src/views/user-settings.js
+++ b/dashboard/src/views/user-settings.js
@@ -265,6 +265,7 @@ angular.module('Application').controller('UserSettingsController', ['$scope', '$
                     if (error.statusCode === 424) {
                         if (error.code === 'SELF_SIGNED_CERT_IN_CHAIN') $scope.externalLdap.error.acceptSelfSignedCerts = true;
                         else $scope.externalLdap.error.url = true;
+                        $scope.externalLdap.error.generic = error.message;
                     } else if (error.statusCode === 400 && error.message === 'invalid baseDn') {
                         $scope.externalLdap.error.baseDn = true;
                     } else if (error.statusCode === 400 && error.message === 'invalid filter') {
diff --git a/src/externalldap.js b/src/externalldap.js
index f83161737..ff22dd73e 100644
--- a/src/externalldap.js
+++ b/src/externalldap.js
@@ -25,7 +25,6 @@ const assert = require('assert'),
     eventlog = require('./eventlog.js'),
     groups = require('./groups.js'),
     ldap = require('ldapjs'),
-    once = require('./once.js'),
     safe = require('safetydance'),
     settings = require('./settings.js'),
     tasks = require('./tasks.js'),
@@ -116,7 +115,10 @@ async function getClient(config, options) {
             url: config.url,
             tlsOptions: {
                 rejectUnauthorized: config.acceptSelfSignedCerts ? false : true
-            }
+            },
+            // https://github.com/ldapjs/node-ldapjs/issues/486
+            timeout: 60000,
+            connectTimeout: 10000
         };
 
         client = ldap.createClient(ldapConfig);
@@ -126,12 +128,9 @@ async function getClient(config, options) {
     }
 
     return await new Promise((resolve, reject) => {
-        reject = once(reject);
-
         // ensure we don't just crash
-        client.on('error', function (error) {
+        client.on('error', function (error) { // don't reject, we must have gotten a bind error
             debug('getClient: ExternalLdap client error:', error);
-            reject(new BoxError(BoxError.EXTERNAL_ERROR, error));
         });
 
         // skip bind auth if none exist or if not wanted
diff --git a/src/routes/externalldap.js b/src/routes/externalldap.js
index e677e1327..399447484 100644
--- a/src/routes/externalldap.js
+++ b/src/routes/externalldap.js
@@ -40,6 +40,8 @@ async function setConfig(req, res, next) {
     if ('bindDn' in req.body && typeof req.body.bindDn !== 'string') return next(new HttpError(400, 'bindDn must be a non empty string'));
     if ('bindPassword' in req.body && typeof req.body.bindPassword !== 'string') return next(new HttpError(400, 'bindPassword must be a string'));
 
+    req.clearTimeout(); // remove ldap server can take a bit to respond
+
     const [error] = await safe(externalLdap.setConfig(req.body, AuditSource.fromRequest(req)));
     if (error) return next(BoxError.toHttpError(error));