The problem is, that the password is no longer stored in the session (even not encrypted, just the sha1sum) but the LDAP backend tries to use this sha1sum as (encrypted) password and decrypts and sends it, which is of course incorrect. I've tried to use the login cookie instead of the session in the attached patch in the same way as it is used in the normal authentication process. I've no LDAP setup in order to test this. Maybe you can test this, maybe Adrian Lang can test it, too.