diff --git a/src/externalldap.js b/src/externalldap.js
index 289bc66b6..52353b715 100644
--- a/src/externalldap.js
+++ b/src/externalldap.js
@@ -115,6 +115,9 @@ function ldapGetByDN(externalLdapConfig, dn, callback) {
 
         debug(`Get object at ${dn}`);
 
+        // basic validation to not crash
+        try { ldap.parseDN(dn); } catch (e) { return callback(new BoxError(BoxError.BAD_FIELD, 'invalid DN')); }
+
         client.search(dn, searchOptions, function (error, result) {
             if (error instanceof ldap.NoSuchObjectError) return callback(new BoxError(BoxError.NOT_FOUND));
             if (error) return callback(new BoxError(BoxError.EXTERNAL_ERROR, error));
@@ -520,12 +523,15 @@ function syncGroupUsers(externalLdapConfig, progressCallback, callback) {
 
                 var ldapGroupMembers = found.member || found.uniqueMember || [];
 
+                // if only one entry is in the group ldap returns a string, not an array!
+                if (typeof ldapGroupMembers === 'string') ldapGroupMembers = [ ldapGroupMembers ];
+
                 debug(`Group ${group.name} has ${ldapGroupMembers.length} members.`);
 
                 async.eachSeries(ldapGroupMembers, function (memberDn, iteratorCallback) {
                     ldapGetByDN(externalLdapConfig, memberDn, function (error, result) {
                         if (error) {
-                            console.error(`Failed to get ${memberDn}:`, error);
+                            console.log(`Failed to get ${memberDn}:`, error);
                             return iteratorCallback();
                         }