diff --git a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/AuthenticationProviderService.java b/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/AuthenticationProviderService.java
index 9004c132b..a9f39cf7f 100644
--- a/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/AuthenticationProviderService.java
+++ b/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/AuthenticationProviderService.java
@@ -204,18 +204,26 @@ public class AuthenticationProviderService {
         
         // Attempt bind
         LdapNetworkConnection ldapConnection = ldapService.bindAs(bindDn, password);
-            
-        // Retrieve group membership of the user that just authenticated
-        Set<String> effectiveGroups =
-                userGroupService.getParentUserGroupIdentifiers(ldapConnection,
-                        bindDn);
+        try {
 
-        // Return AuthenticatedUser if bind succeeds
-        LDAPAuthenticatedUser authenticatedUser = authenticatedUserProvider.get();
-        authenticatedUser.init(credentials, getAttributeTokens(ldapConnection,
-                bindDn), effectiveGroups, bindDn);
-        
-        return authenticatedUser;
+            // Retrieve group membership of the user that just authenticated
+            Set<String> effectiveGroups =
+                    userGroupService.getParentUserGroupIdentifiers(ldapConnection,
+                            bindDn);
+
+            // Return AuthenticatedUser if bind succeeds
+            LDAPAuthenticatedUser authenticatedUser = authenticatedUserProvider.get();
+            authenticatedUser.init(credentials, getAttributeTokens(ldapConnection,
+                    bindDn), effectiveGroups, bindDn);
+
+            return authenticatedUser;
+
+        }
+
+        // Always disconnect
+        finally {
+            ldapService.disconnect(ldapConnection);
+        }
 
     }