diff --git a/app/assets/javascripts/app/controllers/_integration/ldap.coffee b/app/assets/javascripts/app/controllers/_integration/ldap.coffee
index 433b80b57..f3267e3f2 100644
--- a/app/assets/javascripts/app/controllers/_integration/ldap.coffee
+++ b/app/assets/javascripts/app/controllers/_integration/ldap.coffee
@@ -358,7 +358,6 @@ class ConnectionWizard extends App.WizardModal
         # remember payload
         user_attributes = {}
         for key, value of App.User.attributesGet()
-          continue if key == 'login'
           if (value.tag is 'input' || value.tag is 'richtext' || value.tag is 'textarea')  && value.type isnt 'password'
             user_attributes[key] = value.display || key
         roles = {}
@@ -394,6 +393,7 @@ class ConnectionWizard extends App.WizardModal
         givenname: 'firstname'
         sn: 'lastname'
         mail: 'email'
+        samaccountname: 'login'
         telephonenumber: 'phone'
 
     @userMappingForm.find('tbody tr.js-entry').remove()
@@ -417,14 +417,23 @@ class ConnectionWizard extends App.WizardModal
     for key in ['source', 'dest']
       if !_.isArray(user_attributes[key])
         user_attributes[key] = [user_attributes[key]]
-    user_attributes_local =
-      'samaccountname': 'login'
+    user_attributes_local = {}
     length = user_attributes.source.length-1
     for count in [0..length]
       if user_attributes.source[count] && user_attributes.dest[count]
         user_attributes_local[user_attributes.source[count]] = user_attributes.dest[count]
+
+    requiredAttribute = Object.keys(user_attributes_local).some( (local_attribute) ->
+      return user_attributes_local[local_attribute] == 'login'
+    )
+
     @wizardConfig.user_attributes = user_attributes_local
 
+    if !requiredAttribute
+      @showSlide('js-mapping')
+      @showAlert('js-mapping', App.i18n.translatePlain("Attribute '%s' is required in the mapping", 'login'))
+      return
+
     # group role map
     group_role_map = @formParam(@groupRoleForm)
     for key in ['source', 'dest']
@@ -448,17 +457,8 @@ class ConnectionWizard extends App.WizardModal
 
   buildRowsUserMap: (user_attribute_map) =>
 
-    # show static login row
-    userUidDisplayValue = @wizardConfig.wizardData.backend_user_attributes['samaccountname']
-
-    el = [
-      $(App.view('integration/ldap_user_attribute_row_read_only')(
-        key:   userUidDisplayValue,
-        value: 'Login'
-      ))
-    ]
+    el = []
     for source, dest of user_attribute_map
-      continue if source == 'samaccountname'
       continue if !(source of @wizardConfig.wizardData.backend_user_attributes)
       el.push @buildRowUserAttribute(source, dest)
     el
diff --git a/db/migrate/20180202000002_custom_ldap_login_attribute.rb b/db/migrate/20180202000002_custom_ldap_login_attribute.rb
new file mode 100644
index 000000000..60297d258
--- /dev/null
+++ b/db/migrate/20180202000002_custom_ldap_login_attribute.rb
@@ -0,0 +1,48 @@
+class CustomLdapLoginAttribute < ActiveRecord::Migration[5.1]
+  def up
+
+    # return if it's a new setup
+    return if !Setting.find_by(name: 'system_init_done')
+    return if no_change_needed?
+
+    perform_changes
+  end
+
+  private
+
+  def perform_changes
+    delete_spared
+    update_config
+  end
+
+  def delete_spared
+    # remove samaccountname which is always wrong if there is more than
+    # one other login attribute since it's automatically added
+    ldap_config[:user_attributes].delete('samaccountname')
+
+    # this should not happen but remove any other duplicate that
+    # maps to login and keep the "first" in the list
+    # - which is more or less random
+    login_attributes.reject { |e| e == 'samaccountname' }.drop(1).each do |spared|
+      ldap_config[:user_attributes].delete(spared)
+    end
+  end
+
+  def update_config
+    Import::Ldap.config = ldap_config
+  end
+
+  def login_attributes
+    @login_attributes ||= ldap_config[:user_attributes].select { |_local, remote| remote == 'login' }.keys
+  end
+
+  def no_change_needed?
+    return true if ldap_config.blank?
+    return true if ldap_config[:user_attributes].blank?
+    ldap_config[:user_attributes].values.count('login') < 2
+  end
+
+  def ldap_config
+    @ldap_config ||= Import::Ldap.config
+  end
+end
diff --git a/lib/sequencer/unit/import/ldap/user/mapping.rb b/lib/sequencer/unit/import/ldap/user/mapping.rb
index 53fe7498c..09ecfa477 100644
--- a/lib/sequencer/unit/import/ldap/user/mapping.rb
+++ b/lib/sequencer/unit/import/ldap/user/mapping.rb
@@ -9,13 +9,7 @@ class Sequencer
             private
 
             def mapping
-              ldap_config[:user_attributes].dup.tap do |config|
-                # fallback to samaccountname as login
-                # if no login is given via mapping
-                if !config.values.include?('login')
-                  config['samaccountname'] = 'login'
-                end
-              end
+              ldap_config[:user_attributes]
             end
           end
         end