diff --git a/outpost/azure-pipelines.yml b/outpost/azure-pipelines.yml
index 4f1cf7901..96a8d71a0 100644
--- a/outpost/azure-pipelines.yml
+++ b/outpost/azure-pipelines.yml
@@ -51,9 +51,9 @@ stages:
               script: |
                 docker run --rm -v $(pwd):/app -w /app golangci/golangci-lint:v1.39.0 golangci-lint run -v --timeout 200s
               workingDirectory: 'outpost/'
-  - stage: proxy_build_go
+  - stage: build_go
     jobs:
-      - job: build_go
+      - job: proxy_build_go
         pool:
           vmImage: 'ubuntu-latest'
         steps:
@@ -70,9 +70,26 @@ stages:
               command: 'build'
               arguments: './cmd/proxy'
               workingDirectory: 'outpost/'
-  - stage: proxy_build_docker
+      - job: ldap_build_go
+        pool:
+          vmImage: 'ubuntu-latest'
+        steps:
+          - task: GoTool@0
+            inputs:
+              version: '1.16.3'
+          - task: DownloadPipelineArtifact@2
+            inputs:
+              buildType: 'current'
+              artifactName: 'go_swagger_client'
+              path: "outpost/pkg/"
+          - task: Go@0
+            inputs:
+              command: 'build'
+              arguments: './cmd/ldap'
+              workingDirectory: 'outpost/'
+  - stage: build_docker
     jobs:
-      - job: build
+      - job: proxy_build_docker
         pool:
           vmImage: 'ubuntu-latest'
         steps:
@@ -97,3 +114,28 @@ stages:
               Dockerfile: 'outpost/proxy.Dockerfile'
               buildContext: 'outpost/'
               tags: "gh-$(branchName)"
+      - job: ldap_build_docker
+        pool:
+          vmImage: 'ubuntu-latest'
+        steps:
+          - task: GoTool@0
+            inputs:
+              version: '1.16.3'
+          - task: DownloadPipelineArtifact@2
+            inputs:
+              buildType: 'current'
+              artifactName: 'go_swagger_client'
+              path: "outpost/pkg/"
+          - task: Bash@3
+            inputs:
+              targetType: 'inline'
+              script: |
+                python ./scripts/az_do_set_branch.py
+          - task: Docker@2
+            inputs:
+              containerRegistry: 'beryjuorg-harbor'
+              repository: 'authentik/outpost-ldap'
+              command: 'buildAndPush'
+              Dockerfile: 'outpost/ldap.Dockerfile'
+              buildContext: 'outpost/'
+              tags: "gh-$(branchName)"
diff --git a/outpost/ldap.Dockerfile b/outpost/ldap.Dockerfile
new file mode 100644
index 000000000..a440468c4
--- /dev/null
+++ b/outpost/ldap.Dockerfile
@@ -0,0 +1,13 @@
+FROM golang:1.16.3 AS builder
+
+WORKDIR /work
+
+COPY . .
+
+RUN go build -o /work/ldap ./cmd/ldap
+
+FROM gcr.io/distroless/base-debian10:debug
+
+COPY --from=builder /work/ldap /
+
+ENTRYPOINT ["/ldap"]
diff --git a/outpost/pkg/ldap/api.go b/outpost/pkg/ldap/api.go
index 23d357fdf..44f5d3a22 100644
--- a/outpost/pkg/ldap/api.go
+++ b/outpost/pkg/ldap/api.go
@@ -28,7 +28,7 @@ func (ls *LDAPServer) Refresh() error {
 			appSlug:  *provider.ApplicationSlug,
 			flowSlug: *provider.BindFlowSlug,
 			s:        ls,
-			log:      log.WithField("provider", provider.Name),
+			log:      log.WithField("logger", "authentik.outpost.ldap").WithField("provider", provider.Name),
 		}
 	}
 	ls.providers = providers
diff --git a/outpost/pkg/ldap/bind.go b/outpost/pkg/ldap/bind.go
index f1f6bf5f1..9418fe563 100644
--- a/outpost/pkg/ldap/bind.go
+++ b/outpost/pkg/ldap/bind.go
@@ -6,15 +6,9 @@ import (
 	"github.com/nmcclain/ldap"
 )
 
-type UIDResponse struct {
-	UIDFIeld string `json:"uid_field"`
-}
-
-type PasswordResponse struct {
-	Password string `json:"password"`
-}
 
 func (ls *LDAPServer) Bind(bindDN string, bindPW string, conn net.Conn) (ldap.LDAPResultCode, error) {
+	ls.log.WithField("dn", bindDN).Info("bind")
 	for _, instance := range ls.providers {
 		username, err := instance.getUsername(bindDN)
 		if err == nil {
diff --git a/outpost/pkg/ldap/instance_bind.go b/outpost/pkg/ldap/instance_bind.go
index 9b91e235c..4f722c3a7 100644
--- a/outpost/pkg/ldap/instance_bind.go
+++ b/outpost/pkg/ldap/instance_bind.go
@@ -16,6 +16,14 @@ import (
 	"goauthentik.io/outpost/pkg/client/flows"
 )
 
+type UIDResponse struct {
+	UIDFIeld string `json:"uid_field"`
+}
+
+type PasswordResponse struct {
+	Password string `json:"password"`
+}
+
 func (pi *ProviderInstance) getUsername(dn string) (string, error) {
 	if !strings.HasSuffix(dn, pi.BaseDN) {
 		return "", errors.New("invalid base DN")
@@ -59,7 +67,7 @@ func (pi *ProviderInstance) Bind(username string, bindPW string, conn net.Conn)
 	if err != nil {
 		if _, denied := err.(*core.CoreApplicationsCheckAccessForbidden); denied {
 			pi.log.WithField("dn", username).Info("Access denied for user")
-			return ldap.LDAPResultInvalidCredentials, nil
+			return ldap.LDAPResultInsufficientAccessRights, nil
 		}
 		pi.log.WithField("dn", username).WithError(err).Warning("failed to check access")
 		return ldap.LDAPResultOperationsError, nil
diff --git a/outpost/pkg/ldap/ldap.go b/outpost/pkg/ldap/ldap.go
index 68c6add96..e67585b92 100644
--- a/outpost/pkg/ldap/ldap.go
+++ b/outpost/pkg/ldap/ldap.go
@@ -35,7 +35,7 @@ func NewServer(ac *ak.APIController) *LDAPServer {
 	s.EnforceLDAP = true
 	ls := &LDAPServer{
 		s:         s,
-		log:       log.WithField("logger", "ldap-server"),
+		log:       log.WithField("logger", "authentik.outpost.ldap"),
 		ac:        ac,
 		providers: []*ProviderInstance{},
 	}
diff --git a/outpost/pkg/ldap/search.go b/outpost/pkg/ldap/search.go
index 79f1626c6..ac50f3824 100644
--- a/outpost/pkg/ldap/search.go
+++ b/outpost/pkg/ldap/search.go
@@ -9,6 +9,7 @@ import (
 )
 
 func (ls *LDAPServer) Search(boundDN string, searchReq ldap.SearchRequest, conn net.Conn) (ldap.ServerSearchResult, error) {
+	ls.log.WithField("dn", boundDN).Info("search")
 	bd, err := goldap.ParseDN(boundDN)
 	if err != nil {
 		return ldap.ServerSearchResult{ResultCode: ldap.LDAPResultOperationsError}, errors.New("invalid DN")