diff --git a/connector/ldap/ldap.go b/connector/ldap/ldap.go
index 856949d240d15ebe4dbc0c853fd646843348b649..6f6f0c3e55235a7123c0ba60f9b1c98bf128e59f 100644
--- a/connector/ldap/ldap.go
+++ b/connector/ldap/ldap.go
@@ -410,7 +410,7 @@ func (c *ldapConnector) identityFromEntry(user ldap.Entry) (ident connector.Iden
 		err := fmt.Errorf("ldap: entry %q missing following required attribute(s): %q", user.DN, missing)
 		return connector.Identity{}, err
 	}
-	return ident, nil
+	return tweakIdentity(ident), nil
 }
 
 func (c *ldapConnector) userEntry(conn *ldap.Conn, username string) (user ldap.Entry, found bool, err error) {
diff --git a/connector/ldap/tweak.go b/connector/ldap/tweak.go
new file mode 100644
index 0000000000000000000000000000000000000000..34facee761c4db427e32fdcb85682fccb447f0bf
--- /dev/null
+++ b/connector/ldap/tweak.go
@@ -0,0 +1,32 @@
+package ldap
+
+import (
+	"strings"
+
+	"github.com/dexidp/dex/connector"
+)
+
+// TweakIdentity adjusts attributes received from the LDAP directory. Don't ask
+// why this is necessary. Just learn to accept it.
+func tweakIdentity(id connector.Identity) connector.Identity {
+	id.Username = tweakName(id)
+	return id
+}
+
+func tweakName(id connector.Identity) string {
+	name := id.Username
+	if name == " " {
+		return id.PreferredUsername
+	}
+
+	xs := strings.Split(name, ", ")
+	if len(xs) == 1 {
+		return name
+	}
+
+	if strings.Contains(xs[1], " (") {
+		xs[1] = strings.Split(xs[1], " (")[0]
+	}
+
+	return xs[1] + " " + xs[0]
+}