diff --git a/Documentation/config-gerrit.txt b/Documentation/config-gerrit.txt
index d29a99a8cf..9bcdaab307 100644
--- a/Documentation/config-gerrit.txt
+++ b/Documentation/config-gerrit.txt
@@ -1086,6 +1086,16 @@ _(Optional)_ Password for the user identified by `ldap.username`.
 If not set, an anonymous (or passwordless) connection to the LDAP
 server is attempted.
 
+[[ldap.referral]]ldap.referral::
++
+_(Optional)_ How an LDAP referral should be handled if it is
+encountered during directory traversal.  Set to `follow` to
+automatically follow any referrals, or `ignore` to stop and fail
+with `javax.naming.PartialResultException: Unprocessed Continuation
+Reference(s)`
++
+By default, `ignore`.
+
 [[ldap.accountBase]]ldap.accountBase::
 +
 Root of the tree containing all user accounts.  This is typically
diff --git a/gerrit-server/src/main/java/com/google/gerrit/server/auth/ldap/LdapRealm.java b/gerrit-server/src/main/java/com/google/gerrit/server/auth/ldap/LdapRealm.java
index c2f9f1042a..bad97e83df 100644
--- a/gerrit-server/src/main/java/com/google/gerrit/server/auth/ldap/LdapRealm.java
+++ b/gerrit-server/src/main/java/com/google/gerrit/server/auth/ldap/LdapRealm.java
@@ -74,6 +74,7 @@ class LdapRealm implements Realm {
   private final String server;
   private final String username;
   private final String password;
+  private final String referral;
   private final boolean sslVerify;
 
   private final AuthConfig authConfig;
@@ -105,6 +106,7 @@ class LdapRealm implements Realm {
     this.server = required(config, "server");
     this.username = optional(config, "username");
     this.password = optional(config, "password");
+    this.referral = optional(config, "referral");
     this.sslVerify = config.getBoolean("ldap", "sslverify", true);
     this.readOnlyAccountFields = new HashSet<Account.FieldName>();
 
@@ -467,6 +469,7 @@ class LdapRealm implements Realm {
       env.put(Context.SECURITY_AUTHENTICATION, "simple");
       env.put(Context.SECURITY_PRINCIPAL, username);
       env.put(Context.SECURITY_CREDENTIALS, password != null ? password : "");
+      env.put(Context.REFERRAL, referral != null ? referral : "ignore");
     }
     return new InitialDirContext(env);
   }
@@ -477,6 +480,7 @@ class LdapRealm implements Realm {
     env.put(Context.SECURITY_AUTHENTICATION, "simple");
     env.put(Context.SECURITY_PRINCIPAL, dn);
     env.put(Context.SECURITY_CREDENTIALS, password != null ? password : "");
+    env.put(Context.REFERRAL, referral != null ? referral : "ignore");
     try {
       return new InitialDirContext(env);
     } catch (NamingException e) {