diff --git a/src/authentic2/views.py b/src/authentic2/views.py
index ad3c8acb6..383726a10 100644
--- a/src/authentic2/views.py
+++ b/src/authentic2/views.py
@@ -1362,6 +1362,9 @@ class SuView(View):
         user = switch_user.resolve_token(uuid)
         if not user:
             raise Http404
+        # LDAP ad-hoc behaviour
+        if user.userexternalid_set.exists():
+            user = utils.authenticate(request, user=user)
         return utils.simulate_authentication(request, user, 'su')
 
 
diff --git a/tests/test_ldap.py b/tests/test_ldap.py
index 615c3d25d..a159b8db9 100644
--- a/tests/test_ldap.py
+++ b/tests/test_ldap.py
@@ -36,7 +36,7 @@ from authentic2.a2_rbac.models import Role
 from authentic2.a2_rbac.utils import get_default_ou
 from authentic2.backends import ldap_backend
 from authentic2.models import Service
-from authentic2.utils import authenticate
+from authentic2.utils import authenticate, switch_user
 from django_rbac.utils import get_ou_model
 
 from . import utils
@@ -1653,3 +1653,25 @@ def test_config_to_lowercase():
             }
         ],
     }
+
+
+def test_switch_user_ldap_user(slapd, settings, app, db):
+    settings.LDAP_AUTH_SETTINGS = [
+        {
+            'url': [slapd.ldap_url],
+            'binddn': force_text(slapd.root_bind_dn),
+            'bindpw': force_text(slapd.root_bind_password),
+            'basedn': u'o=ôrga',
+            'use_tls': False,
+            'attributes': ['carLicense'],
+        }
+    ]
+    # get all users
+    management.call_command('sync-ldap-users', verbosity=2)
+
+    user = User.objects.get(username=USERNAME + '@ldap')
+    url = switch_user.build_url(user)
+    response = app.get(url).follow()
+    assert app.session['_auth_user_backend'] == 'authentic2.backends.ldap_backend.LDAPBackendPasswordLost'
+    template_user = response.context['user']
+    assert 'carlicense' in template_user.get_attributes(object(), {})