diff --git a/deps/rabbitmq_auth_backend_ldap/README-authorisation b/deps/rabbitmq_auth_backend_ldap/README-authorisation
index 57315b500c..e5cd1ec253 100644
--- a/deps/rabbitmq_auth_backend_ldap/README-authorisation
+++ b/deps/rabbitmq_auth_backend_ldap/README-authorisation
@@ -5,15 +5,16 @@ Authorisation is effected by three configuration options:
 
 * vhost_access_query
 * resource_access_query
-* is_admin_query
+* tag_queries
 
 Each defines a query that will determine whether a user has access to
 a vhost, a resource (e.g. exchange, queue, binding) or is considered
 an administrator.
 
 The default values are {constant, true}, {constant, true} and
-{constant, false}, granting all users access to all objects in all
-vhosts, but not making them administrators.
+[{administrator, {constant, false}}] respectively, granting all users
+access to all objects in all vhosts, but not making them
+administrators.
 
 A query can be of one of several types:
 
@@ -57,10 +58,15 @@ The terms configure, write and read for resource access have the same
 meanings that they do for the built-in RabbitMQ permissions system,
 see http://www.rabbitmq.com/admin-guide.html#access-control
 
-is_admin_query:
+tag_queries:
   ${username}
   ${user_dn}
 
+Note that tag_queries consists of a proplist, mapping the name of a
+tag to a query to perform to determine whether or not the user has
+that tag. You must list queries for all tags that you want your users
+to have.
+
 In Group Query
 --------------
 
@@ -119,7 +125,7 @@ TODO improve and explain this
                      {permission, read,  {constant, true}}
                     ]}},
              {resource, queue, {constant, true}} ]}},
-     {is_admin_query,        {constant, false}},
+     {tag_queries,           [{administrator, {constant, false}}]},
      {use_ssl,               false},
      {port,                  389},
      {log,                   false} ] }
diff --git a/deps/rabbitmq_auth_backend_ldap/src/rabbit_auth_backend_ldap.erl b/deps/rabbitmq_auth_backend_ldap/src/rabbit_auth_backend_ldap.erl
index 83d2a8ac6b..c3bbbc42ad 100644
--- a/deps/rabbitmq_auth_backend_ldap/src/rabbit_auth_backend_ldap.erl
+++ b/deps/rabbitmq_auth_backend_ldap/src/rabbit_auth_backend_ldap.erl
@@ -40,7 +40,7 @@
 -include_lib("rabbit_common/include/rabbit_auth_backend_spec.hrl").
 
 -export([description/0]).
--export([check_user_login/2, check_vhost_access/3, check_resource_access/3]).
+-export([check_user_login/2, check_vhost_access/2, check_resource_access/3]).
 
 -behaviour(gen_server).
 
@@ -55,7 +55,7 @@
                  other_bind,
                  vhost_access_query,
                  resource_access_query,
-                 is_admin_query,
+                 tag_queries,
                  use_ssl,
                  log,
                  port }).
@@ -81,11 +81,10 @@ check_user_login(Username, AuthProps) ->
     exit({unknown_auth_props, Username, AuthProps}).
 
 check_vhost_access(User = #user{username = Username,
-                                impl = UserDN}, VHost, Permission) ->
-    gen_server:call(?SERVER, {check_vhost, [{username,   Username},
-                                            {user_dn,    UserDN},
-                                            {vhost,      VHost},
-                                            {permission, Permission}], User},
+                                impl = UserDN}, VHost) ->
+    gen_server:call(?SERVER, {check_vhost, [{username, Username},
+                                            {user_dn,  UserDN},
+                                            {vhost,    VHost}], User},
                     infinity).
 
 check_resource_access(User = #user{username = Username, impl = UserDN},
@@ -157,8 +156,10 @@ with_ldap(BindOpts, Fun,
     Opts0 = [{ssl, SSL}, {port, Port}],
     Opts = case Log of
                true ->
-                   [{log, fun(1, S, A) -> rabbit_log:warning(S, A);
-                             (2, S, A) -> rabbit_log:info   (S, A)
+                   Pre = "LDAP backend: ",
+                   rabbit_log:info(Pre ++ "connecting to ~p~n", [Servers]),
+                   [{log, fun(1, S, A) -> rabbit_log:warning(Pre ++ S, A);
+                             (2, S, A) -> rabbit_log:info   (Pre ++ S, A)
                           end} | Opts0];
                _ ->
                    Opts0
@@ -192,17 +193,17 @@ get_env(F) ->
     {ok, V} = application:get_env(F),
     V.
 
-do_login(Username, LDAP, State = #state{ is_admin_query  = IsAdminQuery }) ->
+do_login(Username, LDAP, State = #state{ tag_queries = TagQueries }) ->
     UserDN = username_to_dn(Username, State),
     User = #user{username     = Username,
                  auth_backend = ?MODULE,
                  impl         = UserDN},
-    case evaluate(IsAdminQuery, [{username, Username},
-                                 {user_dn,  UserDN}], User, LDAP) of
-        {error, _} = E ->
-            E;
-        IsAdmin ->
-            {ok, User#user{is_admin = IsAdmin}}
+    TagRes = [{Tag, evaluate(Q, [{username, Username},
+                                 {user_dn,  UserDN}], User, LDAP)} ||
+                 {Tag, Q} <- TagQueries],
+    case [E || {_, E = {error, _}} <- TagRes] of
+        []      -> {ok, User#user{tags = [Tag || {Tag, true} <- TagRes]}};
+        [E | _] -> E
     end.
 
 username_to_dn(Username, #state{ user_dn_pattern = UserDNPattern }) ->