diff --git a/ldapauth.go b/ldapauth.go
index 316148a..d9c62d2 100644
--- a/ldapauth.go
+++ b/ldapauth.go
@@ -270,8 +270,12 @@ func LdapCheckUser(conn *ldap.Conn, config *Config, username, password string) (
 	userDN := result.Entries[0].DN
 	LoggerINFO.Printf("Authenticating User: %s", userDN)
 
+	// Copy conn to validate user password. This prevents changing the bind made
+	// previously, then LdapCheckUserAuthorized will use same operation mode
+	_nconn := conn
+
 	// Bind User and password.
-	err = conn.Bind(userDN, password)
+	err = _nconn.Bind(userDN, password)
 	return err == nil, result.Entries[0], err
 }
 
diff --git a/readme.md b/readme.md
index 0c531e1..6444146 100644
--- a/readme.md
+++ b/readme.md
@@ -101,6 +101,8 @@ labels:
 
 ## Operations Mode
 
+The `Operation Mode` detected will be used to perform all subsequent requests.
+
 ### Bind Mode
 
 If no `searchFilter` is specified in its configuration, the middleware runs in the default bind mode, meaning it tries to make a simple bind request to the LDAP server with the credentials provided in the request headers. If the bind succeeds, the middleware forwards the request, otherwise, it returns a 401 Unauthorized status code.