diff --git a/backend/ldap.go b/backend/ldap.go
index aa10edd5c23b083f9d1c0e3bff44734f67451cdd..d7035ac7554802a2ca8b45fe8bedeb16e1878c8e 100644
--- a/backend/ldap.go
+++ b/backend/ldap.go
@@ -73,6 +73,7 @@ func (c *LDAPQueryConfig) searchRequest(username string, attrs ...string) *ldap.
 type LDAPConfig struct {
 	URI        string           `yaml:"uri"`
 	BindDN     string           `yaml:"bind_dn"`
+	BindPw     string           `yaml:"bind_pw"`
 	BindPwFile string           `yaml:"bind_pw_file"`
 	Query      *LDAPQueryConfig `yaml:"query"`
 }
@@ -85,8 +86,8 @@ func (c *LDAPConfig) Valid() error {
 	if c.BindDN == "" {
 		return errors.New("empty bind_dn")
 	}
-	if c.BindPwFile == "" {
-		return errors.New("empty bind_pw_file")
+	if (c.BindPwFile == "" && c.BindPw == "") || (c.BindPwFile != "" && c.BindPw != "") {
+		return errors.New("only one of bind_pw_file or bind_pw must be set")
 	}
 	if c.Query == nil {
 		return errors.New("missing query configuration")
@@ -106,13 +107,17 @@ func NewLDAPBackend(config *LDAPConfig) (*ldapBackend, error) {
 	}
 
 	// Read the bind password.
-	bindPw, err := ioutil.ReadFile(config.BindPwFile)
-	if err != nil {
-		return nil, err
+	bindPw := config.BindPw
+	if config.BindPwFile != "" {
+		pwData, err := ioutil.ReadFile(config.BindPwFile)
+		if err != nil {
+			return nil, err
+		}
+		bindPw = strings.TrimSpace(string(pwData))
 	}
 
 	// Connect.
-	pool, err := ldaputil.NewConnectionPool(config.URI, config.BindDN, strings.TrimSpace(string(bindPw)), 5)
+	pool, err := ldaputil.NewConnectionPool(config.URI, config.BindDN, bindPw, 5)
 	if err != nil {
 		return nil, err
 	}