diff --git a/src/includes/class/class.LSldap.php b/src/includes/class/class.LSldap.php
index 6dbd8216..d4f7a9c7 100644
--- a/src/includes/class/class.LSldap.php
+++ b/src/includes/class/class.LSldap.php
@@ -51,6 +51,14 @@ class LSldap extends LSlog_staticLoggerClass {
    */
   private static $cnx = NULL;
 
+  /**
+   * LDAP connection enabled controls
+   * @see LSldap::setAuthzProxyControl()
+   * @see LSldap::updateUserPassword()
+   * @var array
+   */
+  private static $_controls = array();
+
   /**
    * Registered events
    * @see self::addEvent()
@@ -155,16 +163,12 @@ class LSldap extends LSlog_staticLoggerClass {
     }
     if (!self :: fireEvent('setting_authz_proxy', array('dn' => $dn)))
       return false;
-    $result = self :: $cnx -> setOption(
-      'LDAP_OPT_SERVER_CONTROLS',
-      array (
-        array(
-          'oid' => '2.16.840.1.113730.3.4.18',
-          'value' => "dn:$dn",
-          'iscritical' => true
-        )
-      )
+    self :: $_controls[] = array(
+      'oid' => '2.16.840.1.113730.3.4.18',
+      'value' => "dn:$dn",
+      'iscritical' => true
     );
+    $result = self :: $cnx -> setOption('LDAP_OPT_SERVER_CONTROLS', self :: $_controls);
     // Also check user exists to validate the connection with
     // authz proxy control.
     if ($result !== True || !self :: exists($dn)) {
@@ -846,7 +850,7 @@ class LSldap extends LSlog_staticLoggerClass {
       return false;
 
     $ldap = self :: $cnx->getLink();
-    $ctrlRequest = array(array('oid' => LDAP_CONTROL_PASSWORDPOLICYREQUEST));
+    $ctrlRequest = array_merge(self :: $_controls, [['oid' => LDAP_CONTROL_PASSWORDPOLICYREQUEST]]);
     $r = ldap_mod_replace_ext($ldap, $dn, $changes, $ctrlRequest);
     if ($r && ldap_parse_result($ldap, $r, $errcode, $matcheddn, $errmsg, $ref, $ctrlResponse)) {
       if ($errcode !== 0) {