diff --git a/errors/errors.go b/errors/errors.go
index 4e0a102a..3d9aa32b 100644
--- a/errors/errors.go
+++ b/errors/errors.go
@@ -3,20 +3,21 @@ package errors
 import "errors"
 
 var (
-	ErrBadConfig        = errors.New("config: invalid config")
-	ErrRepoNotFound     = errors.New("repository: not found")
-	ErrRepoIsNotDir     = errors.New("repository: not a directory")
-	ErrRepoBadVersion   = errors.New("repository: unsupported layout version")
-	ErrManifestNotFound = errors.New("manifest: not found")
-	ErrBadManifest      = errors.New("manifest: invalid contents")
-	ErrUploadNotFound   = errors.New("uploads: not found")
-	ErrBadUploadRange   = errors.New("uploads: bad range")
-	ErrBlobNotFound     = errors.New("blob: not found")
-	ErrBadBlob          = errors.New("blob: bad blob")
-	ErrBadBlobDigest    = errors.New("blob: bad blob digest")
-	ErrUnknownCode      = errors.New("error: unknown error code")
-	ErrBadCACert        = errors.New("tls: invalid ca cert")
-	ErrBadUser          = errors.New("ldap: non-existent user")
-	ErrEntriesExceeded  = errors.New("ldap: too many entries returned")
-	ErrLDAPConfig       = errors.New("config: invalid LDAP configuration")
+	ErrBadConfig           = errors.New("config: invalid config")
+	ErrRepoNotFound        = errors.New("repository: not found")
+	ErrRepoIsNotDir        = errors.New("repository: not a directory")
+	ErrRepoBadVersion      = errors.New("repository: unsupported layout version")
+	ErrManifestNotFound    = errors.New("manifest: not found")
+	ErrBadManifest         = errors.New("manifest: invalid contents")
+	ErrUploadNotFound      = errors.New("uploads: not found")
+	ErrBadUploadRange      = errors.New("uploads: bad range")
+	ErrBlobNotFound        = errors.New("blob: not found")
+	ErrBadBlob             = errors.New("blob: bad blob")
+	ErrBadBlobDigest       = errors.New("blob: bad blob digest")
+	ErrUnknownCode         = errors.New("error: unknown error code")
+	ErrBadCACert           = errors.New("tls: invalid ca cert")
+	ErrBadUser             = errors.New("ldap: non-existent user")
+	ErrEntriesExceeded     = errors.New("ldap: too many entries returned")
+	ErrLDAPEmptyPassphrase = errors.New("ldap: empty passphrase")
+	ErrLDAPConfig          = errors.New("config: invalid LDAP configuration")
 )
diff --git a/pkg/api/ldap.go b/pkg/api/ldap.go
index a7dad16c..153cbc61 100644
--- a/pkg/api/ldap.go
+++ b/pkg/api/ldap.go
@@ -71,6 +71,11 @@ func (lc *LDAPClient) Connect() error {
 
 // Authenticate authenticates the user against the ldap backend.
 func (lc *LDAPClient) Authenticate(username, password string) (bool, map[string]string, error) {
+	if password == "" {
+		// RFC 4513 section 5.1.2
+		return false, nil, errors.ErrLDAPEmptyPassphrase
+	}
+
 	err := lc.Connect()
 	if err != nil {
 		return false, nil, err