diff --git a/internal/outpost/ldap/bind.go b/internal/outpost/ldap/bind.go
index c050b7184..0988850f4 100644
--- a/internal/outpost/ldap/bind.go
+++ b/internal/outpost/ldap/bind.go
@@ -8,8 +8,8 @@ import (
 )
 
 func (ls *LDAPServer) Bind(bindDN string, bindPW string, conn net.Conn) (ldap.LDAPResultCode, error) {
-	ls.log.WithField("bindDN", bindDN).Info("bind")
 	bindDN = strings.ToLower(bindDN)
+	ls.log.WithField("bindDN", bindDN).Info("bind")
 	for _, instance := range ls.providers {
 		username, err := instance.getUsername(bindDN)
 		if err == nil {
diff --git a/internal/outpost/ldap/instance_bind.go b/internal/outpost/ldap/instance_bind.go
index a3816ca1a..5954cd5ef 100644
--- a/internal/outpost/ldap/instance_bind.go
+++ b/internal/outpost/ldap/instance_bind.go
@@ -48,13 +48,13 @@ func (pi *ProviderInstance) Bind(username string, bindDN, bindPW string, conn ne
 	fe.Answers[outpost.StagePassword] = bindPW
 
 	passed, err := fe.Execute()
+	if !passed {
+		return ldap.LDAPResultInvalidCredentials, nil
+	}
 	if err != nil {
 		pi.log.WithField("bindDN", bindDN).WithError(err).Warning("failed to execute flow")
 		return ldap.LDAPResultOperationsError, nil
 	}
-	if !passed {
-		return ldap.LDAPResultInvalidCredentials, nil
-	}
 	access, err := fe.CheckApplicationAccess(pi.appSlug)
 	if !access {
 		pi.log.WithField("bindDN", bindDN).Info("Access denied for user")