diff --git a/src/Server/ZB.MOM.WW.OtOpcUa.Admin/Components/Pages/Login.razor b/src/Server/ZB.MOM.WW.OtOpcUa.Admin/Components/Pages/Login.razor
index 83aef58..e8c4731 100644
--- a/src/Server/ZB.MOM.WW.OtOpcUa.Admin/Components/Pages/Login.razor
+++ b/src/Server/ZB.MOM.WW.OtOpcUa.Admin/Components/Pages/Login.razor
@@ -47,10 +47,17 @@
         public string Password { get; set; } = string.Empty;
     }
 
-    private Input _input = new();
+    // Static-SSR form post: the model must be [SupplyParameterFromForm] or the
+    // submitted username/password never bind back onto _input. The property
+    // cannot carry an initializer (BL0008) — seed it in OnInitialized instead.
+    [SupplyParameterFromForm]
+    private Input _input { get; set; } = default!;
+
     private string? _error;
     private bool _busy;
 
+    protected override void OnInitialized() => _input ??= new();
+
     private async Task SignInAsync()
     {
         _error = null;
diff --git a/src/Server/ZB.MOM.WW.OtOpcUa.Admin/Security/LdapAuthService.cs b/src/Server/ZB.MOM.WW.OtOpcUa.Admin/Security/LdapAuthService.cs
index 1bf11d0..5328457 100644
--- a/src/Server/ZB.MOM.WW.OtOpcUa.Admin/Security/LdapAuthService.cs
+++ b/src/Server/ZB.MOM.WW.OtOpcUa.Admin/Security/LdapAuthService.cs
@@ -108,7 +108,7 @@ public sealed class LdapAuthService(IOptions<LdapOptions> options, ILogger<LdapA
             await Task.Run(() =>
                 conn.Bind(_options.ServiceAccountDn, _options.ServiceAccountPassword), ct);
 
-            var filter = $"(uid={EscapeLdapFilter(username)})";
+            var filter = $"({_options.UserNameAttribute}={EscapeLdapFilter(username)})";
             var results = await Task.Run(() =>
                 conn.Search(_options.SearchBase, LdapConnection.ScopeSub, filter, ["dn"], false), ct);
 
@@ -116,7 +116,7 @@ public sealed class LdapAuthService(IOptions<LdapOptions> options, ILogger<LdapA
                 return results.Next().Dn;
 
             throw new LdapException("User not found", LdapException.NoSuchObject,
-                $"No entry for uid={username}");
+                $"No entry for {filter}");
         }
 
         return string.IsNullOrWhiteSpace(_options.SearchBase)
diff --git a/src/Server/ZB.MOM.WW.OtOpcUa.Admin/Security/LdapOptions.cs b/src/Server/ZB.MOM.WW.OtOpcUa.Admin/Security/LdapOptions.cs
index 4d79474..45d3e3d 100644
--- a/src/Server/ZB.MOM.WW.OtOpcUa.Admin/Security/LdapOptions.cs
+++ b/src/Server/ZB.MOM.WW.OtOpcUa.Admin/Security/LdapOptions.cs
@@ -29,6 +29,13 @@ public sealed class LdapOptions
     public string DisplayNameAttribute { get; set; } = "cn";
     public string GroupAttribute { get; set; } = "memberOf";
 
+    /// <summary>
+    ///     Attribute the service-account search matches the login name against to resolve the
+    ///     user's DN. <c>cn</c> for GLAuth (the dev default); set <c>sAMAccountName</c> for
+    ///     Active Directory.
+    /// </summary>
+    public string UserNameAttribute { get; set; } = "cn";
+
     /// <summary>
     ///     Maps LDAP group name → Admin role. Group match is case-insensitive. A user gets every
     ///     role whose source group is in their membership list. Example dev mapping:
diff --git a/src/Server/ZB.MOM.WW.OtOpcUa.Admin/appsettings.json b/src/Server/ZB.MOM.WW.OtOpcUa.Admin/appsettings.json
index 39fddd1..77e7cde 100644
--- a/src/Server/ZB.MOM.WW.OtOpcUa.Admin/appsettings.json
+++ b/src/Server/ZB.MOM.WW.OtOpcUa.Admin/appsettings.json
@@ -10,7 +10,7 @@
       "UseTls": false,
       "AllowInsecureLdap": true,
       "SearchBase": "dc=lmxopcua,dc=local",
-      "ServiceAccountDn": "cn=serviceaccount,ou=svcaccts,dc=lmxopcua,dc=local",
+      "ServiceAccountDn": "cn=serviceaccount,dc=lmxopcua,dc=local",
       "ServiceAccountPassword": "serviceaccount123",
       "DisplayNameAttribute": "cn",
       "GroupAttribute": "memberOf",