diff --git a/apps/authentication/backends/openid/models.py b/apps/authentication/backends/openid/models.py
index b99ba402a..863aafd6a 100644
--- a/apps/authentication/backends/openid/models.py
+++ b/apps/authentication/backends/openid/models.py
@@ -6,7 +6,7 @@ from django.contrib.auth import get_user_model
 from keycloak.realm import KeycloakRealm
 from keycloak.keycloak_openid import KeycloakOpenID
 
-from .signals import post_create_openid_user
+from .signals import post_create_or_update_openid_user
 from .decorator import ssl_verification
 
 OIDT_ACCESS_TOKEN = 'oidt_access_token'
@@ -155,7 +155,7 @@ class Client(object):
         """
         userinfo = self.get_userinfo(token=token_response['access_token'])
         with transaction.atomic():
-            user, _ = get_user_model().objects.update_or_create(
+            user, created = get_user_model().objects.update_or_create(
                 username=userinfo.get('preferred_username', ''),
                 defaults={
                     'email': userinfo.get('email', ''),
@@ -169,7 +169,9 @@ class Client(object):
                 refresh_token=token_response['refresh_token'],
             )
             if user:
-                post_create_openid_user.send(sender=user.__class__, user=user)
+                post_create_or_update_openid_user.send(
+                    sender=user.__class__, user=user, created=created
+                )
 
         return oidt_profile
 
diff --git a/apps/authentication/backends/openid/signals.py b/apps/authentication/backends/openid/signals.py
index d5e57a005..ad81bca4a 100644
--- a/apps/authentication/backends/openid/signals.py
+++ b/apps/authentication/backends/openid/signals.py
@@ -1,5 +1,5 @@
 from django.dispatch import Signal
 
 
-post_create_openid_user = Signal(providing_args=('user',))
+post_create_or_update_openid_user = Signal(providing_args=('user',))
 post_openid_login_success = Signal(providing_args=('user', 'request'))
diff --git a/apps/authentication/signals_handlers.py b/apps/authentication/signals_handlers.py
index 17cfae362..aac64df4c 100644
--- a/apps/authentication/signals_handlers.py
+++ b/apps/authentication/signals_handlers.py
@@ -4,9 +4,10 @@ from django.dispatch import receiver
 from django.contrib.auth.signals import user_logged_out
 from django_auth_ldap.backend import populate_user
 
+from users.models import User
 from .backends.openid import new_client
 from .backends.openid.signals import (
-    post_create_openid_user, post_openid_login_success
+    post_create_or_update_openid_user, post_openid_login_success
 )
 from .signals import post_auth_success
 
@@ -29,9 +30,9 @@ def on_user_logged_out(sender, request, user, **kwargs):
     request.COOKIES['next'] = openid_logout_url
 
 
-@receiver(post_create_openid_user)
-def on_post_create_openid_user(sender, user=None,  **kwargs):
-    if user and user.username != 'admin':
+@receiver(post_create_or_update_openid_user)
+def on_post_create_or_update_openid_user(sender, user=None,  created=True, **kwargs):
+    if created and user and user.username != 'admin':
         user.source = user.SOURCE_OPENID
         user.save()
 
@@ -44,8 +45,10 @@ def on_openid_login_success(sender, user=None, request=None, **kwargs):
 @receiver(populate_user)
 def on_ldap_create_user(sender, user, ldap_user, **kwargs):
     if user and user.username not in ['admin']:
-        user.source = user.SOURCE_LDAP
-        user.save()
+        exists = User.objects.filter(username=user.username).exists()
+        if not exists:
+            user.source = user.SOURCE_LDAP
+            user.save()
 
 
 
diff --git a/apps/authentication/utils.py b/apps/authentication/utils.py
index eb1649885..197aa113a 100644
--- a/apps/authentication/utils.py
+++ b/apps/authentication/utils.py
@@ -1,31 +1,20 @@
 # -*- coding: utf-8 -*-
 #
-from django.utils.translation import ugettext as _
 from django.contrib.auth import authenticate
 
-from common.utils import (
-    get_ip_city, get_object_or_none, validate_ip
-)
-from users.models import User
 from . import errors
 
 
 def check_user_valid(**kwargs):
     password = kwargs.pop('password', None)
     public_key = kwargs.pop('public_key', None)
-    email = kwargs.pop('email', None)
     username = kwargs.pop('username', None)
     request = kwargs.get('request')
 
-    if username:
-        user = get_object_or_none(User, username=username)
-    elif email:
-        user = get_object_or_none(User, email=email)
-    else:
-        user = None
-
-    if user is None:
-        return None, errors.reason_user_not_exist
+    user = authenticate(request, username=username,
+                        password=password, public_key=public_key)
+    if not user:
+        return None, errors.reason_password_failed
     elif user.is_expired:
         return None, errors.reason_user_inactive
     elif not user.is_active:
@@ -33,9 +22,4 @@ def check_user_valid(**kwargs):
     elif user.password_has_expired:
         return None, errors.reason_password_expired
 
-    if password or public_key:
-        user = authenticate(request, username=username,
-                            password=password, public_key=public_key)
-        if user:
-            return user, ''
-    return None, errors.reason_password_failed
+    return user, ''