diff --git a/ldap/client.go b/ldap/client.go
index 1c131a6..0c1ffd3 100644
--- a/ldap/client.go
+++ b/ldap/client.go
@@ -719,8 +719,13 @@ func (c *Client) getUserDN(bindDN, username string) (string, error) {
 	}
 	var userDN string
 	if c.conf.UPNDomain != "" {
-		// Find the distinguished name for the user if userPrincipalName used for login
-		filter := fmt.Sprintf("(userPrincipalName=%s@%s)", escapeValue(username), c.conf.UPNDomain)
+		// Find the distinguished name for the user if userPrincipalName used for login, or sAMAccountName if enabled.
+		var filter string
+		if c.conf.EnableSamaccountnameLogin {
+			filter = fmt.Sprintf("(|(userPrincipalName=%s@%s)(sAMAccountName=%s))", escapeValue(username), c.conf.UPNDomain, escapeValue(username))
+		} else {
+			filter = fmt.Sprintf("(userPrincipalName=%s@%s)", escapeValue(username), c.conf.UPNDomain)
+		}
 		result, err := c.conn.Search(&ldap.SearchRequest{
 			BaseDN:       c.conf.UserDN,
 			Scope:        ldap.ScopeWholeSubtree,
diff --git a/ldap/config.go b/ldap/config.go
index 6340799..8f05d51 100644
--- a/ldap/config.go
+++ b/ldap/config.go
@@ -230,6 +230,9 @@ type ClientConfig struct {
 	// the pre 1.1.1 Vault behavior.
 	// see: https://www.vaultproject.io/docs/upgrading/upgrade-to-1.1.1
 	DeprecatedVaultPre111GroupCNBehavior *bool `json:"use_pre111_group_cn_behavior"`
+
+	// EnableSamaccountnameLogin enables login with sAMAccountName in addition to UserPrincipalName when upndomain is set.
+	EnableSamaccountnameLogin bool `json:"enable_samaccountname_login"`
 }
 
 func (c *ClientConfig) clone() (*ClientConfig, error) {