diff --git a/src/routes/accesscontrol.js b/src/routes/accesscontrol.js
index 655d70bd5..40bd36d87 100644
--- a/src/routes/accesscontrol.js
+++ b/src/routes/accesscontrol.js
@@ -15,6 +15,7 @@ var accesscontrol = require('../accesscontrol.js'),
     BoxError = require('../boxerror.js'),
     clients = require('../clients.js'),
     ClientPasswordStrategy = require('passport-oauth2-client-password').Strategy,
+    externalLdap = require('../externalldap.js'),
     HttpError = require('connect-lastmile').HttpError,
     LocalStrategy = require('passport-local').Strategy,
     passport = require('passport'),
@@ -37,11 +38,30 @@ function initialize(callback) {
         });
     });
 
+
     // used when username/password is sent in request body. used in CLI tool login route
     passport.use(new LocalStrategy(function (username, password, callback) {
+
+        // TODO we should only do this for dashboard logins
+        function createAndVerifyUserIfNotExist(identifier, password, callback) {
+            assert.strictEqual(typeof identifier, 'string');
+            assert.strictEqual(typeof password, 'string');
+            assert.strictEqual(typeof callback, 'function');
+
+            externalLdap.createAndVerifyUserIfNotExist(identifier.toLowerCase(), password, function (error, result) {
+                if (error && error.reason === BoxError.BAD_STATE) return callback(null, false);
+                if (error && error.reason === BoxError.BAD_FIELD) return callback(null, false);
+                if (error && error.reason === BoxError.CONFLICT) return callback(null, false);
+                if (error && error.reason === BoxError.INVALID_CREDENTIALS) return callback(null, false);
+                if (error) return callback(error);
+
+                callback(null, result);
+            });
+        }
+
         if (username.indexOf('@') === -1) {
             users.verifyWithUsername(username, password, function (error, result) {
-                if (error && error.reason === BoxError.NOT_FOUND) return callback(null, false);
+                if (error && error.reason === BoxError.NOT_FOUND) return createAndVerifyUserIfNotExist(username, password, callback);
                 if (error && error.reason === BoxError.INVALID_CREDENTIALS) return callback(null, false);
                 if (error) return callback(error);
                 if (!result) return callback(null, false);
@@ -49,7 +69,7 @@ function initialize(callback) {
             });
         } else {
             users.verifyWithEmail(username, password, function (error, result) {
-                if (error && error.reason === BoxError.NOT_FOUND) return callback(null, false);
+                if (error && error.reason === BoxError.NOT_FOUND) return createAndVerifyUserIfNotExist(username, password, callback);
                 if (error && error.reason === BoxError.INVALID_CREDENTIALS) return callback(null, false);
                 if (error) return callback(error);
                 if (!result) return callback(null, false);
diff --git a/src/users.js b/src/users.js
index 8cd135ed8..39db93576 100644
--- a/src/users.js
+++ b/src/users.js
@@ -32,7 +32,6 @@ exports = module.exports = {
 };
 
 let assert = require('assert'),
-    auditSource = require('./auditsource.js'),
     BoxError = require('./boxerror.js'),
     crypto = require('crypto'),
     constants = require('./constants.js'),
@@ -241,27 +240,12 @@ function verify(userId, password, callback) {
     });
 }
 
-function createAndVerifyUserIfNotExist(identifier, password, callback) {
-    assert.strictEqual(typeof identifier, 'string');
-    assert.strictEqual(typeof password, 'string');
-    assert.strictEqual(typeof callback, 'function');
-
-    externalLdap.createAndVerifyUserIfNotExist(identifier, password, function (error, result) {
-        if (error && error.reason === BoxError.BAD_STATE) return callback(new BoxError(BoxError.NOT_FOUND));
-        if (error && error.reason === BoxError.BAD_FIELD) return callback(new BoxError(BoxError.NOT_FOUND));
-        if (error) return callback(error);
-
-        callback(null, result);
-    });
-}
-
 function verifyWithUsername(username, password, callback) {
     assert.strictEqual(typeof username, 'string');
     assert.strictEqual(typeof password, 'string');
     assert.strictEqual(typeof callback, 'function');
 
     userdb.getByUsername(username.toLowerCase(), function (error, user) {
-        if (error && error.reason === BoxError.NOT_FOUND) return createAndVerifyUserIfNotExist(username.toLowerCase(), password, callback);
         if (error) return callback(error);
 
         verify(user.id, password, callback);
@@ -274,7 +258,6 @@ function verifyWithEmail(email, password, callback) {
     assert.strictEqual(typeof callback, 'function');
 
     userdb.getByEmail(email.toLowerCase(), function (error, user) {
-        if (error && error.reason === BoxError.NOT_FOUND) return createAndVerifyUserIfNotExist(email.toLowerCase(), password, callback);
         if (error) return callback(error);
 
         verify(user.id, password, callback);