diff --git a/internal/auth/auth.go b/internal/auth/auth.go
index 4d5865f..9ff393d 100644
--- a/internal/auth/auth.go
+++ b/internal/auth/auth.go
@@ -107,10 +107,11 @@ func (m *Manager) Login(username, password string) (token string, user *userstor
 						TLS:           tcfg.TLS,
 						TLSSkipVerify: tcfg.TLSSkipVerify,
 					}, username, password)
-					if authErr != nil {
+						if authErr != nil {
 						fmt.Printf("[DEBUG] tenant LDAP auth failed for %q: %v\n", username, authErr)
 					}
 					if authErr == nil {
+						fmt.Printf("[DEBUG] tenant LDAP auth OK for %q, upserting...\n", username)
 						role := tcfg.DefaultRole
 						if role == "" {
 							role = userstore.RoleUser
@@ -129,6 +130,9 @@ func (m *Manager) Login(username, password string) (token string, user *userstor
 							email = username
 						}
 						ldapUser, upsertErr := m.store.UpsertLDAPUser(username, email, role, tenantID)
+						if upsertErr != nil {
+							fmt.Printf("[DEBUG] UpsertLDAPUser failed for %q: %v\n", username, upsertErr)
+						}
 						if upsertErr == nil {
 							if ldapUser.TOTPEnabled {
 								t, e := m.issuePendingTOTPToken(ldapUser)