diff --git a/README.md b/README.md
index 80649bb6..b1ae48ad 100644
--- a/README.md
+++ b/README.md
@@ -50,7 +50,7 @@ $ vault write sys/plugins/catalog/kerberos-auth-plugin sha_256="$(shasum -a 256
 2. Enable the Kerberos auth method:
 
 ```sh
-$ vault auth-enable -path=kerberos -plugin-name=kerberos-auth-plugin plugin
+$ vault auth-enable -path=kerberos -plugin-name=kerberos-auth-plugin -passthrough-request-headers=Authorization plugin
 Successfully enabled 'kerberos' at 'kerberos'!
 ```
 
@@ -77,7 +77,7 @@ base64 vault.keytab > vault.keytab.base64
 vault write auth/kerberos/config keytab=@vault.keytab.base64 service_account="your_service_account"
 ```
 
-4. Optionally configure LDAP backend to look up Vault policies.
+4. Configure LDAP backend to look up Vault policies.
 Configuration for LDAP is identical to the [LDAP](https://www.vaultproject.io/docs/auth/ldap.html)
 auth method, but writing to to the Kerberos endpoint:
 
@@ -86,6 +86,9 @@ vault write auth/kerberos/config/ldap @vault-config/auth/ldap/config
 vault write auth/kerberos/groups/example-role @vault-config/auth/ldap/groups/example-role
 ```
 
+In non-kerberos mode, the LDAP bind and lookup works via the user that is currently trying to authenticate.
+If you're running LDAP together with Kerberos you might want to set a binddn/bindpass in the ldap config.
+
 ## Developing
 
 If you wish to work on this plugin, you'll first need
diff --git a/path_login.go b/path_login.go
index 46d70b48..5606db12 100644
--- a/path_login.go
+++ b/path_login.go
@@ -100,7 +100,14 @@ func (b *backend) pathLogin(ctx context.Context, req *logical.Request, d *framew
 	// Clean ldap connection
 	defer ldapConnection.Close()
 
-	authorizationString := d.Get("authorization").(string)
+	authorizationString := ""
+	authorizationHeaders := req.Headers["Authorization"]
+	if len(authorizationHeaders) > 0 {
+		authorizationString = authorizationHeaders[0]
+	} else {
+		authorizationString = d.Get("authorization").(string)
+	}
+
 	s := strings.SplitN(authorizationString, " ", 2)
 	if len(s) != 2 || s[0] != "Negotiate" {
 		return logical.ErrorResponse("Missing or invalid authorization"), nil