diff --git a/salt/auth/ldap.py b/salt/auth/ldap.py
index bf04db858c..947af77f88 100644
--- a/salt/auth/ldap.py
+++ b/salt/auth/ldap.py
@@ -283,12 +283,14 @@ def auth(username, password):
         log.error('LDAP authentication requires python-ldap module')
         return False
 
+    bind = None
+
     # If bind credentials are configured, verify that we receive a valid bind
     if _config('binddn', mandatory=False) and _config('bindpw', mandatory=False):
-        bind = _bind_for_search(anonymous=_config('anonymous', mandatory=False))
+        search_bind = _bind_for_search(anonymous=_config('anonymous', mandatory=False))
 
         # If username & password are not None, attempt to verify they are valid
-        if bind and username and password:
+        if search_bind and username and password:
             bind = _bind(username, password,
                          anonymous=_config('auth_by_group_membership_only', mandatory=False)
                          and _config('anonymous', mandatory=False))
diff --git a/tests/unit/auth/test_ldap.py b/tests/unit/auth/test_ldap.py
index bd398961c6..279896b814 100644
--- a/tests/unit/auth/test_ldap.py
+++ b/tests/unit/auth/test_ldap.py
@@ -86,3 +86,24 @@ class LDAPAuthTestCase(TestCase):
         with patch.dict(salt.auth.ldap.__opts__, self.opts):
             with patch('salt.auth.ldap.auth', return_value=Bind):
                 self.assertIn('saltusers', salt.auth.ldap.groups('saltuser', password='password'))
+
+    def test_auth_nopass(self):
+        opts = self.opts.copy()
+        opts['auth.ldap.bindpw'] = 'p@ssw0rd!'
+        with patch.dict(salt.auth.ldap.__opts__, opts):
+            with patch('salt.auth.ldap._bind_for_search', return_value=Bind):
+                self.assertFalse(salt.auth.ldap.auth('foo', None))
+
+    def test_auth_nouser(self):
+        opts = self.opts.copy()
+        opts['auth.ldap.bindpw'] = 'p@ssw0rd!'
+        with patch.dict(salt.auth.ldap.__opts__, opts):
+            with patch('salt.auth.ldap._bind_for_search', return_value=Bind):
+                self.assertFalse(salt.auth.ldap.auth(None, 'foo'))
+
+    def test_auth_nouserandpass(self):
+        opts = self.opts.copy()
+        opts['auth.ldap.bindpw'] = 'p@ssw0rd!'
+        with patch.dict(salt.auth.ldap.__opts__, opts):
+            with patch('salt.auth.ldap._bind_for_search', return_value=Bind):
+                self.assertFalse(salt.auth.ldap.auth(None, None))