diff --git a/fiat-ldap/src/test/groovy/com/netflix/spinnaker/fiat/roles/ldap/LdapUserRolesProviderTest.groovy b/fiat-ldap/src/test/groovy/com/netflix/spinnaker/fiat/roles/ldap/LdapUserRolesProviderTest.groovy
index d9a5f75c5..b848b4ed6 100644
--- a/fiat-ldap/src/test/groovy/com/netflix/spinnaker/fiat/roles/ldap/LdapUserRolesProviderTest.groovy
+++ b/fiat-ldap/src/test/groovy/com/netflix/spinnaker/fiat/roles/ldap/LdapUserRolesProviderTest.groovy
@@ -328,6 +328,33 @@ class LdapUserRolesProviderTest extends Specification {
     1 * provider.loadRolesForUsers(_ as Collection<ExternalUser>)
   }
 
+  void "loadRolesForUser returns no roles when multiple DNs exist for a user id"(){
+    given:
+    def user = externalUser("user1")
+
+    def configProps = baseConfigProps()
+
+    def provider = Spy(LdapUserRolesProvider) {
+      1 * setConfigProps(_ as LdapConfig.ConfigProps)
+      1 * setLdapTemplate(_ as SpringSecurityLdapTemplate)
+      1 * loadRolesForUser(_ as ExternalUser)
+      1 * getUserFullDn(_ as String)
+      0 * _
+    }
+    provider.ldapTemplate = Mock(SpringSecurityLdapTemplate) {
+      1 * searchForSingleEntry(*_) >> { throw new IncorrectResultSizeDataAccessException(1) } //due to multiple DNs
+      0 * _
+    }
+    provider.setConfigProps(configProps)
+
+    when:
+    configProps.groupSearchBase = "notEmpty"
+    configProps.userSearchFilter = "notEmpty"
+    def roles = provider.loadRolesForUser(user)
+
+    then:
+    roles == []
+  }
 
   private static ExternalUser externalUser(String id) {
     return new ExternalUser().setId(id)