diff --git a/graph/pkg/config/config.go b/graph/pkg/config/config.go
index 6196bcdfc4e..953a5ad55dc 100644
--- a/graph/pkg/config/config.go
+++ b/graph/pkg/config/config.go
@@ -38,6 +38,7 @@ type LDAP struct {
 	BindDN        string `ocisConfig:"bind_dn" env:"GRAPH_LDAP_BIND_DN"`
 	BindPassword  string `ocisConfig:"bind_password" env:"GRAPH_LDAP_BIND_PASSWORD"`
 	UseServerUUID bool   `ocisConfig:"use_server_uuid" env:"GRAPH_LDAP_SERVER_UUID"`
+	WriteEnabled  bool   `ocisConfig:"write_enabled" env:"GRAPH_LDAP_SERVER_WRITE_ENABLED"`
 
 	UserBaseDN               string `ocisConfig:"user_base_dn" env:"GRAPH_LDAP_USER_BASE_DN"`
 	UserSearchScope          string `ocisConfig:"user_search_scope" env:"GRAPH_LDAP_USER_SCOPE"`
diff --git a/graph/pkg/config/defaultconfig.go b/graph/pkg/config/defaultconfig.go
index ae04f752ad7..3c98b0b277c 100644
--- a/graph/pkg/config/defaultconfig.go
+++ b/graph/pkg/config/defaultconfig.go
@@ -32,6 +32,7 @@ func DefaultConfig() *Config {
 				BindDN:                   "",
 				BindPassword:             "",
 				UseServerUUID:            false,
+				WriteEnabled:             false,
 				UserBaseDN:               "ou=users,dc=ocis,dc=test",
 				UserSearchScope:          "sub",
 				UserFilter:               "(objectClass=inetOrgPerson)",
diff --git a/graph/pkg/identity/ldap.go b/graph/pkg/identity/ldap.go
index b9d1cae2b0d..bf16afe93ca 100644
--- a/graph/pkg/identity/ldap.go
+++ b/graph/pkg/identity/ldap.go
@@ -16,6 +16,7 @@ import (
 
 type LDAP struct {
 	useServerUUID bool
+	writeEnabled  bool
 
 	userBaseDN       string
 	userFilter       string
@@ -85,6 +86,7 @@ func NewLDAPBackend(lc ldap.Client, config config.LDAP, logger *log.Logger) (*LD
 		groupAttributeMap: gam,
 		logger:            logger,
 		conn:              lc,
+		writeEnabled:      config.WriteEnabled,
 	}, nil
 }
 
@@ -92,6 +94,9 @@ func NewLDAPBackend(lc ldap.Client, config config.LDAP, logger *log.Logger) (*LD
 // LDAP User Entry (using the inetOrgPerson LDAP Objectclass) add adds that to the
 // configured LDAP server
 func (i *LDAP) CreateUser(ctx context.Context, user libregraph.User) (*libregraph.User, error) {
+	if !i.writeEnabled {
+		return nil, errorcode.New(errorcode.NotAllowed, "server is configured read-only")
+	}
 	ar := ldap.AddRequest{
 		DN: fmt.Sprintf("uid=%s,%s", *user.OnPremisesSamAccountName, i.userBaseDN),
 		Attributes: []ldap.Attribute{
@@ -155,6 +160,9 @@ func (i *LDAP) CreateUser(ctx context.Context, user libregraph.User) (*libregrap
 // DeleteUser implements the Backend Interface. It permanently deletes a User identified
 // by name or id from the LDAP server
 func (i *LDAP) DeleteUser(ctx context.Context, nameOrID string) error {
+	if !i.writeEnabled {
+		return errorcode.New(errorcode.NotAllowed, "server is configured read-only")
+	}
 	e, err := i.getLDAPUserByNameOrID(nameOrID)
 	if err != nil {
 		return err
@@ -168,6 +176,9 @@ func (i *LDAP) DeleteUser(ctx context.Context, nameOrID string) error {
 
 // UpdateUser implements the Backend Interface. It's currently not suported for the CS3 backedn
 func (i *LDAP) UpdateUser(ctx context.Context, nameOrID string, user libregraph.User) (*libregraph.User, error) {
+	if !i.writeEnabled {
+		return nil, errorcode.New(errorcode.NotAllowed, "server is configured read-only")
+	}
 	e, err := i.getLDAPUserByNameOrID(nameOrID)
 	if err != nil {
 		return nil, err