diff --git a/authserv/auth.py b/authserv/auth.py
index 237f3ca505c56345e72e59bad1dad25502823cc6..f62993ab66ec650742080f78c4156ca2bc946f4c 100644
--- a/authserv/auth.py
+++ b/authserv/auth.py
@@ -37,6 +37,8 @@ def authenticate(user, service, password, otp_token):
         if _check_app_specific_password(user.get_app_specific_passwords(service),
                                         password) == protocol.OK:
             return protocol.OK
+        else:
+            return protocol.ERR_AUTHENTICATION_FAILURE
 
     if user.otp_enabled():
         if not otp_token:
diff --git a/authserv/test/fixtures/test-user-totp.ldif b/authserv/test/fixtures/test-user-totp.ldif
index 4e917dbed644a4296878ae260f40030d087248c3..096deeb565195b912bd7392eb524dc587501e50e 100644
--- a/authserv/test/fixtures/test-user-totp.ldif
+++ b/authserv/test/fixtures/test-user-totp.ldif
@@ -20,6 +20,7 @@ givenName: Private
 shadowLastChange: 12345
 shadowWarning: 7
 userPassword:: e2NyeXB0fXp6WFVIZlVSbkdnOEk=
+totpSecret: 089421
 
 dn: mail=test@investici.org,uid=test@investici.org,ou=People,dc=investici,dc=org,o=Anarchy
 changetype: add
@@ -37,6 +38,5 @@ originalHost: latitanza
 userPassword:: e2NyeXB0fXp6WFVIZlVSbkdnOEk=
 recoverQuestion: question
 recoverAnswer:: e2NyeXB0fWFhd1IuamRHTVIwMTY=
-totpSecret: 089421
 appSpecificPassword:: bWFpbDokMSQkNXp2RTI5emVIOVc3S0sweVRPMERaMQ==
 
diff --git a/authserv/test/test_auth_ldap.py b/authserv/test/test_auth_ldap.py
index 9e72a4c3d67e43e453a7befd5d2677fed6030f85..08fe57ef4bc3755997205ced10b3d27585d33895 100644
--- a/authserv/test/test_auth_ldap.py
+++ b/authserv/test/test_auth_ldap.py
@@ -12,6 +12,10 @@ class LdapAuthTestBase(LdapTestBase):
             'base': 'ou=People,dc=investici,dc=org,o=Anarchy',
             'filter': '(&(status=active)(mail=%s))',
         },
+        'account': {
+            'dn': 'uid=%s,ou=People,dc=investici,dc=org,o=Anarchy',
+        },
+        'aliased-service': 'account',
     }
 
     def setUp(self):
@@ -28,6 +32,18 @@ class LdapAuthTest(LdapAuthTestBase):
         'test-user.ldif',
     ]
 
+    def test_userdb_get_user(self):
+        self.assertTrue(
+            self.userdb.get_user('test@investici.org', 'account'))
+
+    def test_userdb_unknown_service(self):
+        self.assertFalse(
+            self.userdb.get_user('test@investici.org', 'unknownservice'))
+
+    def test_userdb_service_alias(self):
+        self.assertTrue(
+            self.userdb.get_user('test@investici.org', 'aliased-service'))
+
     def test_auth_password_ok(self):
         u = self.userdb.get_user('test@investici.org', 'mail')
         self.assertTrue(u)
@@ -50,48 +66,68 @@ class LdapOtpTest(LdapAuthTestBase):
     ]
 
     def test_auth_password_requires_otp(self):
-        u = self.userdb.get_user('test@investici.org', 'mail')
+        u = self.userdb.get_user('test@investici.org', 'account')
         self.assertTrue(u)
         self.assertEquals(
             protocol.ERR_OTP_REQUIRED,
-            authenticate(u, 'mail', 'password', None))
+            authenticate(u, 'account', 'password', None))
 
     def test_auth_bad_password_requires_otp(self):
-        u = self.userdb.get_user('test@investici.org', 'mail')
+        u = self.userdb.get_user('test@investici.org', 'account')
         self.assertTrue(u)
         self.assertEquals(
             protocol.ERR_OTP_REQUIRED,
-            authenticate(u, 'mail', 'wrong password', None))
+            authenticate(u, 'account', 'wrong password', None))
 
     def test_auth_otp_ok(self):
-        u = self.userdb.get_user('test@investici.org', 'mail')
+        u = self.userdb.get_user('test@investici.org', 'account')
         self.assertTrue(u)
         secret= '089421'
         token = totp(secret, format='dec6', period=30)
         self.assertEquals(
             protocol.OK,
-            authenticate(u, 'mail', 'password', str(token)))
+            authenticate(u, 'account', 'password', str(token)))
 
     def test_auth_otp_ok_bad_password(self):
-        u = self.userdb.get_user('test@investici.org', 'mail')
+        u = self.userdb.get_user('test@investici.org', 'account')
         self.assertTrue(u)
         secret= '089421'
         token = totp(secret, format='dec6', period=30)
         self.assertEquals(
             protocol.ERR_AUTHENTICATION_FAILURE,
-            authenticate(u, 'mail', 'wrong password', str(token)))
+            authenticate(u, 'account', 'wrong password', str(token)))
 
     def test_auth_bad_otp(self):
-        u = self.userdb.get_user('test@investici.org', 'mail')
+        u = self.userdb.get_user('test@investici.org', 'account')
         self.assertTrue(u)
         self.assertEquals(
             protocol.ERR_AUTHENTICATION_FAILURE,
-            authenticate(u, 'mail', 'password', '123456'))
+            authenticate(u, 'account', 'password', '123456'))
 
-    def test_app_specific_password(self):
+
+class LdapASPTest(LdapAuthTestBase):
+
+    LDIFS = [
+        'test-user-totp.ldif',
+    ]
+
+    def test_app_specific_password_ok(self):
         u = self.userdb.get_user('test@investici.org', 'mail')
         self.assertTrue(u)
         self.assertEquals(
             protocol.OK,
             authenticate(u, 'mail', 'veryspecificpassword', None))
 
+    def test_plain_password_fails(self):
+        u = self.userdb.get_user('test@investici.org', 'mail')
+        self.assertTrue(u)
+        self.assertEquals(
+            protocol.ERR_AUTHENTICATION_FAILURE,
+            authenticate(u, 'mail', 'password', None))
+
+    def test_plain_password_and_otp_fails(self):
+        u = self.userdb.get_user('test@investici.org', 'mail')
+        self.assertTrue(u)
+        self.assertEquals(
+            protocol.ERR_AUTHENTICATION_FAILURE,
+            authenticate(u, 'mail', 'password', '123456'))