diff --git a/awx/main/tests/functional/api/test_settings.py b/awx/main/tests/functional/api/test_settings.py
index a3fd24b22b..afa113bb6e 100644
--- a/awx/main/tests/functional/api/test_settings.py
+++ b/awx/main/tests/functional/api/test_settings.py
@@ -86,6 +86,21 @@ def test_ldap_settings(get, put, patch, delete, admin, enterprise_license):
     patch(url, user=admin, data={'AUTH_LDAP_SERVER_URI': 'ldap://ldap.example.com, ldap://ldap2.example.com'}, expect=200)
 
 
+@pytest.mark.parametrize('setting', [
+    'AUTH_LDAP_USER_DN_TEMPLATE',
+    'AUTH_LDAP_REQUIRE_GROUP',
+    'AUTH_LDAP_DENY_GROUP',
+])
+@pytest.mark.django_db
+def test_empty_ldap_dn(get, put, patch, delete, admin, enterprise_license,
+                       setting):
+    url = reverse('api:setting_singleton_detail', args=('ldap',))
+    Setting.objects.create(key='LICENSE', value=enterprise_license)
+    patch(url, user=admin, data={setting: ''}, expect=200)
+    resp = get(url, user=admin, expect=200)
+    assert resp.data[setting] is None
+
+
 @pytest.mark.django_db
 def test_radius_settings(get, put, patch, delete, admin, enterprise_license, settings):
     url = reverse('api:setting_singleton_detail', args=('radius',))
diff --git a/awx/sso/fields.py b/awx/sso/fields.py
index 174f4a6853..7077c2af14 100644
--- a/awx/sso/fields.py
+++ b/awx/sso/fields.py
@@ -153,6 +153,12 @@ class LDAPDNField(fields.CharField):
         super(LDAPDNField, self).__init__(**kwargs)
         self.validators.append(validate_ldap_dn)
 
+    def run_validation(self, data=empty):
+        value = super(LDAPDNField, self).run_validation(data)
+        # django-auth-ldap expects DN fields (like AUTH_LDAP_REQUIRE_GROUP)
+        # to be either a valid string or ``None`` (not an empty string)
+        return None if value == '' else value
+
 
 class LDAPDNWithUserField(fields.CharField):
 
@@ -160,6 +166,12 @@ class LDAPDNWithUserField(fields.CharField):
         super(LDAPDNWithUserField, self).__init__(**kwargs)
         self.validators.append(validate_ldap_dn_with_user)
 
+    def run_validation(self, data=empty):
+        value = super(LDAPDNWithUserField, self).run_validation(data)
+        # django-auth-ldap expects DN fields (like AUTH_LDAP_USER_DN_TEMPLATE)
+        # to be either a valid string or ``None`` (not an empty string)
+        return None if value == '' else value
+
 
 class LDAPFilterField(fields.CharField):