diff --git a/clientapi/auth/password.go b/clientapi/auth/password.go
index 05d044a9b..756a1b611 100644
--- a/clientapi/auth/password.go
+++ b/clientapi/auth/password.go
@@ -268,18 +268,40 @@ func (t *LoginTypePassword) authenticateLdap(username, password string) (bool, *
 		userDN := result.Entries[0].DN
 		err = conn.Bind(userDN, password)
 		if err != nil {
+			var localpart string
+			localpart, _, err = userutil.ParseUsernameParam(username, t.Config.Matrix)
+			if err != nil {
+				return false, &util.JSONResponse{
+					Code: http.StatusUnauthorized,
+					JSON: jsonerror.InvalidUsername(err.Error()),
+				}
+			}
+			if t.Rt != nil {
+				t.Rt.Act(localpart)
+			}
 			return false, &util.JSONResponse{
-				Code: http.StatusUnauthorized,
-				JSON: jsonerror.InvalidUsername(err.Error()),
+				Code: http.StatusForbidden,
+				JSON: jsonerror.Forbidden("The username or password was incorrect or the account does not exist."),
 			}
 		}
 	} else {
 		bindDn := strings.ReplaceAll(t.Config.Ldap.UserBindDn, "{username}", username)
 		err = conn.Bind(bindDn, password)
 		if err != nil {
+			var localpart string
+			localpart, _, err = userutil.ParseUsernameParam(username, t.Config.Matrix)
+			if err != nil {
+				return false, &util.JSONResponse{
+					Code: http.StatusUnauthorized,
+					JSON: jsonerror.InvalidUsername(err.Error()),
+				}
+			}
+			if t.Rt != nil {
+				t.Rt.Act(localpart)
+			}
 			return false, &util.JSONResponse{
-				Code: http.StatusUnauthorized,
-				JSON: jsonerror.InvalidUsername(err.Error()),
+				Code: http.StatusForbidden,
+				JSON: jsonerror.Forbidden("The username or password was incorrect or the account does not exist."),
 			}
 		}
 	}