diff --git a/builtin/credential/ldap/backend.go b/builtin/credential/ldap/backend.go
index ffc1d1ee8..ec4a0f29b 100644
--- a/builtin/credential/ldap/backend.go
+++ b/builtin/credential/ldap/backend.go
@@ -9,6 +9,7 @@ import (
 	"strings"
 
 	"github.com/hashicorp/go-secure-stdlib/strutil"
+
 	"github.com/hashicorp/vault/sdk/framework"
 	"github.com/hashicorp/vault/sdk/helper/ldaputil"
 	"github.com/hashicorp/vault/sdk/logical"
@@ -96,7 +97,7 @@ func (b *backend) Login(ctx context.Context, req *logical.Request, username stri
 		if b.Logger().IsDebug() {
 			b.Logger().Debug("error getting user bind DN", "error", err)
 		}
-		return "", nil, logical.ErrorResponse(errUserBindFailed), nil, nil
+		return "", nil, logical.ErrorResponse(errUserBindFailed), nil, logical.ErrInvalidCredentials
 	}
 
 	if b.Logger().IsDebug() {
diff --git a/builtin/credential/ldap/path_login.go b/builtin/credential/ldap/path_login.go
index 440e72539..782b32e26 100644
--- a/builtin/credential/ldap/path_login.go
+++ b/builtin/credential/ldap/path_login.go
@@ -83,17 +83,8 @@ func (b *backend) pathLogin(ctx context.Context, req *logical.Request, d *framew
 	password := d.Get("password").(string)
 
 	effectiveUsername, policies, resp, groupNames, err := b.Login(ctx, req, username, password, cfg.UsernameAsAlias)
-	// Handle an internal error
-	if err != nil {
-		return nil, err
-	}
-	if resp != nil {
-		// Handle a logical error
-		if resp.IsError() {
-			return resp, nil
-		}
-	} else {
-		resp = &logical.Response{}
+	if err != nil || (resp != nil && resp.IsError()) {
+		return resp, err
 	}
 
 	auth := &logical.Auth{
diff --git a/changelog/21282.txt b/changelog/21282.txt
new file mode 100644
index 000000000..03f22e485
--- /dev/null
+++ b/changelog/21282.txt
@@ -0,0 +1,3 @@
+```release-note:change
+auth/ldap: Normalize HTTP response codes when invalid credentials are provided
+```
diff --git a/vault/request_handling.go b/vault/request_handling.go
index d23232854..93903d9ef 100644
--- a/vault/request_handling.go
+++ b/vault/request_handling.go
@@ -21,6 +21,8 @@ import (
 	"github.com/hashicorp/go-secure-stdlib/strutil"
 	"github.com/hashicorp/go-sockaddr"
 	"github.com/hashicorp/go-uuid"
+	uberAtomic "go.uber.org/atomic"
+
 	"github.com/hashicorp/vault/command/server"
 	"github.com/hashicorp/vault/helper/identity"
 	"github.com/hashicorp/vault/helper/identity/mfa"
@@ -36,7 +38,6 @@ import (
 	"github.com/hashicorp/vault/sdk/logical"
 	"github.com/hashicorp/vault/vault/quotas"
 	"github.com/hashicorp/vault/vault/tokens"
-	uberAtomic "go.uber.org/atomic"
 )
 
 const (
@@ -1408,7 +1409,7 @@ func (c *Core) handleLoginRequest(ctx context.Context, req *logical.Request) (re
 				return nil, nil, err
 			}
 		}
-		return nil, nil, resp.Error()
+		return resp, nil, routeErr
 	}
 
 	if resp != nil {