diff --git a/apps/beeswax/src/beeswax/server/hive_server2_lib.py b/apps/beeswax/src/beeswax/server/hive_server2_lib.py
index c19c604..37fc100 100644
--- a/apps/beeswax/src/beeswax/server/hive_server2_lib.py
+++ b/apps/beeswax/src/beeswax/server/hive_server2_lib.py
@@ -299,7 +299,7 @@ class HiveServerClient:
     self.query_server = query_server
     self.user = user
 
-    use_sasl, mechanism, kerberos_principal_short_name, impersonation_enabled = self.get_security()
+    use_sasl, mechanism, kerberos_principal_short_name, impersonation_enabled, ldap_username, ldap_password = self.get_security()
     LOG.info('use_sasl=%s, mechanism=%s, kerberos_principal_short_name=%s, impersonation_enabled=%s' % (
              use_sasl, mechanism, kerberos_principal_short_name, impersonation_enabled))
 
@@ -314,6 +314,13 @@ class HiveServerClient:
       ssl_enabled = beeswax_conf.SSL.ENABLED.get()
       timeout = beeswax_conf.SERVER_CONN_TIMEOUT.get()
 
+    if ldap_username:
+      username = ldap_username
+      password = ldap_password
+    else:
+      username = user.username
+      password = None
+
     self._client = thrift_util.get_client(TCLIService.Client,
                                           query_server['server_host'],
                                           query_server['server_port'],
@@ -321,7 +328,8 @@ class HiveServerClient:
                                           kerberos_principal=kerberos_principal_short_name,
                                           use_sasl=use_sasl,
                                           mechanism=mechanism,
-                                          username=user.username,
+                                          username=username,
+					  password=password,
                                           timeout_seconds=timeout,
                                           use_ssl=ssl_enabled,
                                           ca_certs=beeswax_conf.SSL.CACERTS.get(),
@@ -333,6 +341,8 @@ class HiveServerClient:
   def get_security(self):
     principal = self.query_server['principal']
     impersonation_enabled = False
+    ldap_username = None
+    ldap_password = None
 
     if principal:
       kerberos_principal_short_name = principal.split('/', 1)[0]
@@ -351,8 +361,11 @@ class HiveServerClient:
       use_sasl = hive_mechanism in ('KERBEROS', 'NONE')
       mechanism = HiveServerClient.HS2_MECHANISMS[hive_mechanism]
       impersonation_enabled = hive_site.hiveserver2_impersonation_enabled()
+      if LDAP_PASSWORD.get(): # HiveServer2 supports pass-through LDAP authentication.
+        ldap_username = 'hue'
+        ldap_password = LDAP_PASSWORD.get()
 
-    return use_sasl, mechanism, kerberos_principal_short_name, impersonation_enabled
+    return use_sasl, mechanism, kerberos_principal_short_name, impersonation_enabled, ldap_username, ldap_password
 
 
   def open_session(self, user):
@@ -369,9 +382,6 @@ class HiveServerClient:
 
     if self.query_server['server_name'] == 'beeswax': # All the time
       kwargs['configuration'].update({'hive.server2.proxy.user': user.username})
-      if LDAP_PASSWORD.get(): # HiveServer2 supports pass-through LDAP authentication.
-        kwargs['username'] = 'hue'
-        kwargs['password'] = LDAP_PASSWORD.get()
 
     req = TOpenSessionReq(**kwargs)
     res = self._client.OpenSession(req)
diff --git a/desktop/core/src/desktop/lib/thrift_util.py b/desktop/core/src/desktop/lib/thrift_util.py
index 7923a80..b41f8b8 100644
--- a/desktop/core/src/desktop/lib/thrift_util.py
+++ b/desktop/core/src/desktop/lib/thrift_util.py
@@ -74,6 +74,7 @@ class ConnectionConfig(object):
                kerberos_principal="thrift",
                mechanism='GSSAPI',
                username='hue',
+	       password='hue',
                ca_certs=None,
                keyfile=None,
                certfile=None,
@@ -88,7 +89,8 @@ class ConnectionConfig(object):
     @param use_sasl If true, will use KERBEROS or PLAIN over SASL to authenticate
     @param use_ssl If true, will use ca_certs, keyfile, and certfile to create TLS connection
     @param mechanism: GSSAPI or PLAIN if SASL
-    @param username: username if PLAIN SASL only
+    @param username: username if PLAIN SASL or LDAP only
+    @param password: password if PLAIN LDAP only
     @param kerberos_principal The Kerberos service name to connect to.
               NOTE: for a service like fooservice/foo.blah.com@REALM only
               specify "fooservice", NOT the full principal name.
@@ -107,6 +109,7 @@ class ConnectionConfig(object):
     self.use_ssl = use_ssl
     self.mechanism = mechanism
     self.username = username
+    self.password = password
     self.kerberos_principal = kerberos_principal
     self.ca_certs = ca_certs
     self.keyfile = keyfile
@@ -117,7 +120,7 @@ class ConnectionConfig(object):
 
   def __str__(self):
     return ', '.join(map(str, [self.klass, self.host, self.port, self.service_name, self.use_sasl, self.kerberos_principal, self.timeout_seconds,
-                               self.mechanism, self.username, self.use_ssl, self.ca_certs, self.keyfile, self.certfile, self.validate, self.transport]))
+                               self.mechanism, self.username, self.password, self.use_ssl, self.ca_certs, self.keyfile, self.certfile, self.validate, self.transport]))
 
 class ConnectionPooler(object):
   """
@@ -246,7 +249,7 @@ def connect_to_thrift(conf):
       saslc.setAttr("service", str(conf.kerberos_principal))
       if conf.mechanism == 'PLAIN':
         saslc.setAttr("username", str(conf.username))
-        saslc.setAttr("password", 'hue') # Just a non empty string
+	saslc.setAttr("password", str(conf.password)) # defaults to hue for a non-empty string unless using ldap
       saslc.init()
       return saslc