diff --git a/lib/serverrequestcontext.go b/lib/serverrequestcontext.go
index a4379b5e3..de5eb9e00 100644
--- a/lib/serverrequestcontext.go
+++ b/lib/serverrequestcontext.go
@@ -278,7 +278,10 @@ func (ctx *serverRequestContextImpl) GetAttrExtension(attrReqs []*api.AttributeR
 	if err != nil {
 		return nil, err
 	}
-	allAttrs, _ := ui.GetAttributes(nil)
+	allAttrs, err := ui.GetAttributes(nil)
+	if err != nil {
+		return nil, err
+	}
 	if attrReqs == nil {
 		attrReqs = getDefaultAttrReqs(allAttrs)
 		if attrReqs == nil {
diff --git a/scripts/fvt/fabric-ca_utils b/scripts/fvt/fabric-ca_utils
index b642b843a..19657fbb5 100755
--- a/scripts/fvt/fabric-ca_utils
+++ b/scripts/fvt/fabric-ca_utils
@@ -535,6 +535,7 @@ function genRunconfig() {
    : ${FABRIC_TLS:='false'}
    : ${FABRIC_CA_DEBUG:='false'}
    local registry=""
+   local converters=""
    setTLS
 
    case ${version:-"yaml"} in
@@ -858,6 +859,26 @@ done)
       maxEnrollments: $maxEnroll
       attrs: []"
 fi
+
+converters='
+    converters:
+      - name: hf.GenCRL
+        value: attr("memberOf") =~ "cn=Gencrl,ou=groups,dc=example,dc=com" || attr("memberOf") =~ "cn=pkiAdmin,ou=groups,dc=example,dc=com"
+      - name: hf.Revoker
+        value: attr("memberOf") =~ "cn=Revoker,ou=groups,dc=example,dc=com" || attr("memberOf") =~ "cn=pkiAdmin,ou=groups,dc=example,dc=com"
+      - name: hf.IntermediateCA
+        value: attr("memberOf") =~ "cn=Ca,ou=groups,dc=example,dc=com"
+      - name: hf.Registrar.Roles
+        value: map(attr("memberOf"),"roles")'
+
+if [ "$LDAP_ERROR" == "true" ]; then converters='
+    converters:
+      - name: hf.GenCRL
+        value: attr("memberOf") =~ "cn=Gencrl,ou=groups,dc=example,dc=com" || attr("memberOf") =~ "cn=pkiAdmin,ou=groups,dc=example,dc=com"
+      - name: hf.Type
+        value: client'
+fi
+
 cat > $runconfig <<EOF
 address: $CA_HOST_ADDRESS
 port: $CA_DEFAULT_PORT
@@ -902,15 +923,7 @@ ldap:
              "uidNumber",
              "memberOf"
            ]
-    converters:
-      - name: hf.GenCRL
-        value: attr("memberOf") =~ "cn=Gencrl,ou=groups,dc=example,dc=com" || attr("memberOf") =~ "cn=pkiAdmin,ou=groups,dc=example,dc=com"
-      - name: hf.Revoker 
-        value: attr("memberOf") =~ "cn=Revoker,ou=groups,dc=example,dc=com" || attr("memberOf") =~ "cn=pkiAdmin,ou=groups,dc=example,dc=com"
-      - name: hf.IntermediateCA
-        value: attr("memberOf") =~ "cn=Ca,ou=groups,dc=example,dc=com"
-      - name: hf.Registrar.Roles
-        value: map(attr("memberOf"),"roles")
+    $converters
     maps:
       ROLES:
          - name: cn=Client,ou=groups,dc=example,dc=com
diff --git a/scripts/fvt/ldap_test.sh b/scripts/fvt/ldap_test.sh
index 139a091f5..4c451b9e0 100755
--- a/scripts/fvt/ldap_test.sh
+++ b/scripts/fvt/ldap_test.sh
@@ -130,5 +130,11 @@ echo "User 'notadmin' is attempting to generate a crl ... "
 $FABRIC_CA_CLIENTEXEC gencrl -u $URI -H $UDIR/notadmin $TLSOPT 2>&1| grep 'Authorization failure'
 test "$?" -eq 0 || ErrorMsg "User 'notadmin' should not generate a crl"
 
+export LDAP_ERROR=true
+$SCRIPTDIR/fabric-ca_setup.sh -R
+$SCRIPTDIR/fabric-ca_setup.sh -I -a -D -X -S -n1
+CA_CFG_PATH=$UDIR enroll testUser testUserpw uid,hf.Revoker 2>&1 | grep "Failed to evaluate LDAP expression"
+test "$?" -eq 0 || ErrorMsg "Enroll should fail, incorrect LDAP converter specified"
+
 CleanUp $RC
 exit $RC