diff --git a/builtin/credential/ldap/backend.go b/builtin/credential/ldap/backend.go
index e5caa35af..a68083183 100644
--- a/builtin/credential/ldap/backend.go
+++ b/builtin/credential/ldap/backend.go
@@ -7,6 +7,7 @@ import (
 
 	"github.com/go-ldap/ldap"
 	"github.com/hashicorp/vault/helper/mfa"
+	"github.com/hashicorp/vault/helper/strutil"
 	"github.com/hashicorp/vault/logical"
 	"github.com/hashicorp/vault/logical/framework"
 )
@@ -158,6 +159,9 @@ func (b *backend) Login(req *logical.Request, username string, password string)
 		}
 	}
 
+	// Policies from each group may overlap
+	policies = strutil.RemoveDuplicates(policies)
+
 	if len(policies) == 0 {
 		errStr := "user is not a member of any authorized group"
 		if len(ldapResponse.Warnings()) > 0 {