diff --git a/internal/auth/auth.go b/internal/auth/auth.go
index 96a9eb3..4d5865f 100644
--- a/internal/auth/auth.go
+++ b/internal/auth/auth.go
@@ -89,8 +89,14 @@ func (m *Manager) Login(username, password string) (token string, user *userstor
 		if domain := extractDomain(username); domain != "" {
 			ctx := context.Background()
 			tenantID, lookupErr := m.tenantLookup.GetTenantIDByDomain(ctx, domain)
+			if lookupErr != nil {
+				fmt.Printf("[DEBUG] tenant domain lookup failed for %q: %v\n", domain, lookupErr)
+			}
 			if lookupErr == nil && tenantID != nil {
 				tcfg, tErr := m.tenantLdapStore.GetWithPassword(ctx, *tenantID)
+				if tErr != nil {
+					fmt.Printf("[DEBUG] tenant LDAP GetWithPassword failed: %v\n", tErr)
+				}
 				if tErr == nil && tcfg != nil && tcfg.Enabled && tcfg.URL != "" && tcfg.BindPassword != "" {
 					attrs, authErr := ldapauth.Authenticate(ldapauth.Config{
 						URL:           tcfg.URL,
@@ -101,6 +107,9 @@ func (m *Manager) Login(username, password string) (token string, user *userstor
 						TLS:           tcfg.TLS,
 						TLSSkipVerify: tcfg.TLSSkipVerify,
 					}, username, password)
+					if authErr != nil {
+						fmt.Printf("[DEBUG] tenant LDAP auth failed for %q: %v\n", username, authErr)
+					}
 					if authErr == nil {
 						role := tcfg.DefaultRole
 						if role == "" {