diff --git a/keystone/exception.py b/keystone/exception.py
index 4f32e452c5..d5269bf1fd 100644
--- a/keystone/exception.py
+++ b/keystone/exception.py
@@ -603,3 +603,8 @@ class CredentialEncryptionError(Exception):
 class LDAPServerConnectionError(UnexpectedError):
     debug_message_format = _('Unable to establish a connection to '
                              'LDAP Server (%(url)s).')
+
+
+class LDAPInvalidCredentialsError(UnexpectedError):
+    message_format = _('Unable to authenticate against Identity backend - '
+                       'Invalid username or password')
diff --git a/keystone/identity/backends/ldap/common.py b/keystone/identity/backends/ldap/common.py
index 52c39d3cf3..ae72fa31b3 100644
--- a/keystone/identity/backends/ldap/common.py
+++ b/keystone/identity/backends/ldap/common.py
@@ -1248,6 +1248,8 @@ class BaseLdap(object):
                 conn.simple_bind_s()
 
             return conn
+        except ldap.INVALID_CREDENTIALS:
+            raise exception.LDAPInvalidCredentialsError()
         except ldap.SERVER_DOWN:
             raise exception.LDAPServerConnectionError(
                 url=self.LDAP_URL)
diff --git a/keystone/tests/unit/test_backend_ldap.py b/keystone/tests/unit/test_backend_ldap.py
index 3f2652fdf3..56eb1ee9bf 100644
--- a/keystone/tests/unit/test_backend_ldap.py
+++ b/keystone/tests/unit/test_backend_ldap.py
@@ -1054,6 +1054,13 @@ class LDAPIdentity(BaseLDAPIdentity, unit.TestCase):
             name=u'Default')
         self.assertEqual([default_domain], domains)
 
+    def test_authenticate_wrong_credentials(self):
+        self.assertRaises(exception.LDAPInvalidCredentialsError,
+                          self.identity_api.driver.user.get_connection,
+                          user='demo',
+                          password='demo',
+                          end_user_auth=True)
+
     def test_configurable_allowed_project_actions(self):
         domain = self._get_domain_fixture()
         project = unit.new_project_ref(domain_id=domain['id'])
diff --git a/releasenotes/notes/bug-1684994-264fb8f182ced180.yaml b/releasenotes/notes/bug-1684994-264fb8f182ced180.yaml
new file mode 100644
index 0000000000..b9950e9b72
--- /dev/null
+++ b/releasenotes/notes/bug-1684994-264fb8f182ced180.yaml
@@ -0,0 +1,8 @@
+---
+fixes:
+  - |
+    [`bug 1684994 <https://bugs.launchpad.net/keystone/+bug/1684994>`_]
+    This catches the ldap.INVALID_CREDENTIALS exception thrown when
+    trying to connect to an LDAP backend with an invalid username
+    or password, and emits a message back to the user instead of
+    the default 500 error message.