diff --git a/projects/cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/ldap/LdapDAO.java b/projects/cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/ldap/LdapDAO.java
index c30d3794e859f41e1e159eed0d7d6a7dfe953d64..902bb9ca62b1a487d0bb3692f19721c83d6d2775 100755
--- a/projects/cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/ldap/LdapDAO.java
+++ b/projects/cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/ldap/LdapDAO.java
@@ -181,17 +181,17 @@ public abstract class LdapDAO
             {
                 if (p instanceof HttpPrincipal)
                 {
-                    ldapField = "(uid=" + p.getName() + ")";
+                    ldapField = "(&(objectclass=inetorgperson)(uid=" + p.getName() + "))";
                     break;
                 }
                 if (p instanceof NumericPrincipal)
                 {
-                    ldapField = "(numericid=" + p.getName() + ")";
+                    ldapField = "(&(objectclass=cadcaccount)(numericid=" + p.getName() + "))";
                     break;
                 }
                 if (p instanceof X500Principal)
                 {
-                    ldapField = "(distinguishedname=" + p.getName() + ")";
+                    ldapField = "(&(objectclass=cadcaccount)(distinguishedname=" + p.getName() + "))";
                     break;
                 }
                 if (p instanceof OpenIdPrincipal)
@@ -208,9 +208,7 @@ public abstract class LdapDAO
 
             SearchResult searchResult =
                     getConnection().search(config.getUsersDN(), SearchScope.ONE,
-                            "(&(objectclass=cadcaccount)(objectclass=inetorgperson)" 
-                            + ldapField + ")", 
-                            "entrydn");
+                            ldapField, "entrydn");
 
             if (searchResult.getEntryCount() < 1)
             {