diff --git a/src/ldap.js b/src/ldap.js
index 7bc0ae3a8..aecfde16f 100644
--- a/src/ldap.js
+++ b/src/ldap.js
@@ -127,11 +127,15 @@ function start(callback) {
         debug('user bind: %s', req.dn.toString());
 
         // extract the common name which might have different attribute names
-        var commonName = req.dn.rdns[0][Object.keys(req.dn.rdns[0])[0]];
+        var attributeName = Object.keys(req.dn.rdns[0])[0];
+        var commonName = req.dn.rdns[0][attributeName];
         if (!commonName) return next(new ldap.NoSuchObjectError(req.dn.toString()));
 
+        // if mail is specified, enforce mail check, otherwise allow both
+        var api = (commonName.indexOf('@') === -1) && (attributeName !== 'mail')  ? user.verify : user.verifyWithEmail;
+
         // TODO this should be done after we verified the app has access to avoid leakage of user existence
-        user.verify(commonName, req.credentials || '', function (error, userObject) {
+        api(commonName, req.credentials || '', function (error, userObject) {
             if (error && error.reason === UserError.NOT_FOUND) return next(new ldap.NoSuchObjectError(req.dn.toString()));
             if (error && error.reason === UserError.WRONG_PASSWORD) return next(new ldap.InvalidCredentialsError(req.dn.toString()));
             if (error) return next(new ldap.OperationsError(error));
diff --git a/src/test/ldap-test.js b/src/test/ldap-test.js
index be66c0a6d..9618ee314 100644
--- a/src/test/ldap-test.js
+++ b/src/test/ldap-test.js
@@ -156,6 +156,24 @@ describe('Ldap', function () {
             });
         });
 
+        it('succeeds with email and without accessRestriction', function (done) {
+            var client = ldap.createClient({ url: 'ldap://127.0.0.1:' + config.get('ldapPort') });
+
+            client.bind('cn=' + USER_0.email + ',ou=users,dc=cloudron', USER_0.password, function (error) {
+                expect(error).to.be(null);
+                done();
+            });
+        });
+
+        it('fails with username for mail attribute and without accessRestriction', function (done) {
+            var client = ldap.createClient({ url: 'ldap://127.0.0.1:' + config.get('ldapPort') });
+
+            client.bind('mail=' + USER_0.username + ',ou=users,dc=cloudron', USER_0.password, function (error) {
+                expect(error).to.be.a(ldap.NoSuchObjectError);
+                done();
+            });
+        });
+
         it('fails with accessRestriction denied', function (done) {
             var client = ldap.createClient({ url: 'ldap://127.0.0.1:' + config.get('ldapPort') });