diff --git a/src/main/java/org/codelibs/fess/ldap/LdapManager.java b/src/main/java/org/codelibs/fess/ldap/LdapManager.java
index ec4472388..c3ad3c921 100644
--- a/src/main/java/org/codelibs/fess/ldap/LdapManager.java
+++ b/src/main/java/org/codelibs/fess/ldap/LdapManager.java
@@ -161,10 +161,17 @@ public class LdapManager {
         final Hashtable<String, String> env = createSearchEnv(username, password);
         try (DirContextHolder holder = getDirContext(() -> env)) {
             final DirContext context = holder.get();
-            if (logger.isDebugEnabled()) {
-                logger.debug("Logged in.", context);
+            final LdapUser ldapUser = createLdapUser(username, env);
+            if (!fessConfig.isLdapAllowEmptyPermission() && ldapUser.getPermissions().length == 0) {
+                if (logger.isDebugEnabled()) {
+                    logger.debug("Login failed. No permissions. {}", context);
+                }
+                return OptionalEntity.empty();
             }
-            return OptionalEntity.of(createLdapUser(username, env));
+            if (logger.isDebugEnabled()) {
+                logger.debug("Logged in. {}", context);
+            }
+            return OptionalEntity.of(ldapUser);
         } catch (final Exception e) {
             logger.debug("Login failed.", e);
         }
@@ -175,10 +182,17 @@ public class LdapManager {
         final Hashtable<String, String> env = createSearchEnv();
         try (DirContextHolder holder = getDirContext(() -> env)) {
             final DirContext context = holder.get();
+            final LdapUser ldapUser = createLdapUser(username, env);
+            if (!fessConfig.isLdapAllowEmptyPermission() && ldapUser.getPermissions().length == 0) {
+                if (logger.isDebugEnabled()) {
+                    logger.debug("Login failed. No permissions. {}", context);
+                }
+                return OptionalEntity.empty();
+            }
             if (logger.isDebugEnabled()) {
                 logger.debug("Logged in.", context);
             }
-            return OptionalEntity.of(createLdapUser(username, env));
+            return OptionalEntity.of(ldapUser);
         } catch (final Exception e) {
             logger.debug("Login failed.", e);
         }
diff --git a/src/main/java/org/codelibs/fess/mylasta/direction/FessConfig.java b/src/main/java/org/codelibs/fess/mylasta/direction/FessConfig.java
index d16817fd6..5b8fb4bfe 100644
--- a/src/main/java/org/codelibs/fess/mylasta/direction/FessConfig.java
+++ b/src/main/java/org/codelibs/fess/mylasta/direction/FessConfig.java
@@ -1583,6 +1583,9 @@ public interface FessConfig extends FessEnv, org.codelibs.fess.mylasta.direction
     /** The key of the configuration. e.g. false */
     String LDAP_LOWERCASE_PERMISSION_NAME = "ldap.lowercase.permission.name";
 
+    /** The key of the configuration. e.g. true */
+    String LDAP_ALLOW_EMPTY_PERMISSION = "ldap.allow.empty.permission";
+
     /** The key of the configuration. e.g. true */
     String LDAP_ROLE_SEARCH_USER_ENABLED = "ldap.role.search.user.enabled";
 
@@ -6829,6 +6832,20 @@ public interface FessConfig extends FessEnv, org.codelibs.fess.mylasta.direction
      */
     boolean isLdapLowercasePermissionName();
 
+    /**
+     * Get the value for the key 'ldap.allow.empty.permission'. <br>
+     * The value is, e.g. true <br>
+     * @return The value of found property. (NotNull: if not found, exception but basically no way)
+     */
+    String getLdapAllowEmptyPermission();
+
+    /**
+     * Is the property for the key 'ldap.allow.empty.permission' true? <br>
+     * The value is, e.g. true <br>
+     * @return The determination, true or false. (if not found, exception but basically no way)
+     */
+    boolean isLdapAllowEmptyPermission();
+
     /**
      * Get the value for the key 'ldap.role.search.user.enabled'. <br>
      * The value is, e.g. true <br>
@@ -9839,6 +9856,14 @@ public interface FessConfig extends FessEnv, org.codelibs.fess.mylasta.direction
             return is(FessConfig.LDAP_LOWERCASE_PERMISSION_NAME);
         }
 
+        public String getLdapAllowEmptyPermission() {
+            return get(FessConfig.LDAP_ALLOW_EMPTY_PERMISSION);
+        }
+
+        public boolean isLdapAllowEmptyPermission() {
+            return is(FessConfig.LDAP_ALLOW_EMPTY_PERMISSION);
+        }
+
         public String getLdapRoleSearchUserEnabled() {
             return get(FessConfig.LDAP_ROLE_SEARCH_USER_ENABLED);
         }
@@ -10495,6 +10520,7 @@ public interface FessConfig extends FessEnv, org.codelibs.fess.mylasta.direction
             defaultMap.put(FessConfig.LDAP_IGNORE_NETBIOS_NAME, "true");
             defaultMap.put(FessConfig.LDAP_GROUP_NAME_WITH_UNDERSCORES, "false");
             defaultMap.put(FessConfig.LDAP_LOWERCASE_PERMISSION_NAME, "false");
+            defaultMap.put(FessConfig.LDAP_ALLOW_EMPTY_PERMISSION, "true");
             defaultMap.put(FessConfig.LDAP_ROLE_SEARCH_USER_ENABLED, "true");
             defaultMap.put(FessConfig.LDAP_ROLE_SEARCH_GROUP_ENABLED, "true");
             defaultMap.put(FessConfig.LDAP_ROLE_SEARCH_ROLE_ENABLED, "true");
diff --git a/src/main/resources/fess_config.properties b/src/main/resources/fess_config.properties
index 64c195c2f..3ec103369 100644
--- a/src/main/resources/fess_config.properties
+++ b/src/main/resources/fess_config.properties
@@ -818,6 +818,7 @@ ldap.max.username.length=-1
 ldap.ignore.netbios.name=true
 ldap.group.name.with.underscores=false
 ldap.lowercase.permission.name=false
+ldap.allow.empty.permission=true
 
 ldap.role.search.user.enabled=true
 ldap.role.search.group.enabled=true