diff --git a/assets/tpl/login.html b/assets/tpl/login.html
index 7fb24ae..021b777 100644
--- a/assets/tpl/login.html
+++ b/assets/tpl/login.html
@@ -20,9 +20,8 @@
             <div class="card-body">
                 <form class="form-signin" method="post">
                     <div class="form-group">
-                        <label for="inputUsername">Username</label>
-                        <input type="text" name="username" class="form-control" id="inputUsername" aria-describedby="usernameHelp" placeholder="Enter username">
-                        <small id="usernameHelp" class="form-text text-muted">Please enter your LDAP username, not the email address.</small>
+                        <label for="inputUsername">Email</label>
+                        <input type="text" name="username" class="form-control" id="inputUsername" aria-describedby="usernameHelp" placeholder="Enter email">
                     </div>
                     <div class="form-group">
                         <label for="inputPassword">Password</label>
diff --git a/internal/authentication/providers/password/provider.go b/internal/authentication/providers/password/provider.go
index 549d5bd..c6f937d 100644
--- a/internal/authentication/providers/password/provider.go
+++ b/internal/authentication/providers/password/provider.go
@@ -3,6 +3,7 @@ package password
 import (
 	"fmt"
 	"math/rand"
+	"regexp"
 	"strings"
 	"time"
 
@@ -14,6 +15,8 @@ import (
 	"gorm.io/gorm"
 )
 
+var emailRegex = regexp.MustCompile("^[a-zA-Z0-9.!#$%&'*+\\/=?^_`{|}~-]+@[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?(?:\\.[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?)*$")
+
 // Provider implements a password login method for a database backend.
 type Provider struct {
 	db *gorm.DB
@@ -104,6 +107,10 @@ func (provider Provider) GetUserModel(ctx *authentication.AuthContext) (*authent
 }
 
 func (provider Provider) InitializeAdmin(email, password string) error {
+	if !emailRegex.MatchString(email) {
+		return errors.New("admin username must be an email address")
+	}
+
 	admin := users.User{}
 	provider.db.Unscoped().Where("email = ?", email).FirstOrInit(&admin)
 
diff --git a/internal/common/configuration.go b/internal/common/configuration.go
index 2c9f373..3912b38 100644
--- a/internal/common/configuration.go
+++ b/internal/common/configuration.go
@@ -60,7 +60,7 @@ type Config struct {
 		Title             string `yaml:"title" envconfig:"WEBSITE_TITLE"`
 		CompanyName       string `yaml:"company" envconfig:"COMPANY_NAME"`
 		MailFrom          string `yaml:"mailFrom" envconfig:"MAIL_FROM"`
-		AdminUser         string `yaml:"adminUser" envconfig:"ADMIN_USER"`
+		AdminUser         string `yaml:"adminUser" envconfig:"ADMIN_USER"` // must be an email address
 		AdminPassword     string `yaml:"adminPass" envconfig:"ADMIN_PASS"`
 		EditableKeys      bool   `yaml:"editableKeys" envconfig:"EDITABLE_KEYS"`
 		CreateDefaultPeer bool   `yaml:"createDefaultPeer" envconfig:"CREATE_DEFAULT_PEER"`
diff --git a/internal/server/ldapsync.go b/internal/server/ldapsync.go
index 9ba75a9..e04197c 100644
--- a/internal/server/ldapsync.go
+++ b/internal/server/ldapsync.go
@@ -93,16 +93,16 @@ func (s *Server) SyncLdapWithUserDatabase() {
 					}
 				}
 
+				if err = s.users.UpdateUser(user); err != nil {
+					logrus.Errorf("failed to update ldap user %s in database: %v", user.Email, err)
+					continue
+				}
+
 				if ldapDeactivated {
 					if err = s.users.DeleteUser(user); err != nil {
 						logrus.Errorf("failed to delete deactivated user %s in database: %v", user.Email, err)
 						continue
 					}
-				} else {
-					if err = s.users.UpdateUser(user); err != nil {
-						logrus.Errorf("failed to update ldap user %s in database: %v", user.Email, err)
-						continue
-					}
 				}
 			}
 		}