diff --git a/src/PVE/Auth/LDAP.pm b/src/PVE/Auth/LDAP.pm
index b958f2b..1b63954 100755
--- a/src/PVE/Auth/LDAP.pm
+++ b/src/PVE/Auth/LDAP.pm
@@ -166,6 +166,35 @@ sub options {
     };
 }
 
+my $valid_sync_attributes = {
+    username => 1,
+    enable => 1,
+    expire => 1,
+    firstname => 1,
+    lastname => 1,
+    email => 1,
+    comment => 1,
+    keys => 1,
+};
+
+my sub verify_sync_attribute {
+    my ($attr, $value) = @_;
+
+    die "cannot map to invalid user sync attribute '$attr'\n" if !$valid_sync_attributes->{$attr};
+
+    # The attribute does not include the realm, so can't use PVE::Auth::Plugin::verify_username
+    if ($attr eq 'username') {
+	die "value '$value' does not look like a valid user name\n"
+	    if $value !~ m/${PVE::Auth::Plugin::user_regex}/;
+	return;
+    }
+
+    return if $attr eq 'enable'; # for backwards compat, don't parse/validate
+
+    my $schema = PVE::JSONSchema::get_standard_option("user-$attr");
+    PVE::JSONSchema::validate($value, $schema, "invalid value '$value'\n");
+}
+
 sub get_scheme_and_port {
     my ($class, $config) = @_;
 
@@ -271,6 +300,10 @@ sub get_users {
 
     foreach my $attr (PVE::Tools::split_list($config->{sync_attributes})) {
 	my ($ours, $ldap) = ($attr =~ m/^\s*(\w+)=(.*)\s*$/);
+	if (!$valid_sync_attributes->{$ours}) {
+	    warn "bad 'sync_attributes': cannot map to invalid attribute '$ours'\n";
+	    next;
+	}
 	$ldap_attribute_map->{$ldap} = $ours;
     }
 
@@ -301,7 +334,13 @@ sub get_users {
 
 	foreach my $attr (keys %$user_attributes) {
 	    if (my $ours = $ldap_attribute_map->{$attr}) {
-		$ret->{$username}->{$ours} = $user_attributes->{$attr}->[0];
+		my $value = $user_attributes->{$attr}->[0];
+		eval { verify_sync_attribute($ours, $value) };
+		if (my $err = $@) {
+		    warn "skipping attribute mapping '$attr'->'$ours' for user '$username' - $err";
+		    next;
+		}
+		$ret->{$username}->{$ours} = $value;
 	    }
 	}