diff --git a/cmd/controller-manager/app/server.go b/cmd/controller-manager/app/server.go
index 335e26a85d8c5612e767aaec684ce7578119c429..bec2ed6b4840fca082f66f552741aa17f5ab321a 100644
--- a/cmd/controller-manager/app/server.go
+++ b/cmd/controller-manager/app/server.go
@@ -118,9 +118,8 @@ func run(s *options.KubeSphereControllerManagerOptions, stopCh <-chan struct{})
 	}
 
 	var ldapClient ldapclient.Interface
-	if s.LdapOptions == nil || len(s.LdapOptions.Host) == 0 {
-		return fmt.Errorf("ldap service address MUST not be empty")
-	} else {
+	// when there is no ldapOption, we set ldapClient as nil, which means we don't need to sync user info into ldap.
+	if s.LdapOptions != nil && len(s.LdapOptions.Host) != 0 {
 		if s.LdapOptions.Host == ldapclient.FAKE_HOST { // for debug only
 			ldapClient = ldapclient.NewSimpleLdap()
 		} else {
@@ -129,6 +128,8 @@ func run(s *options.KubeSphereControllerManagerOptions, stopCh <-chan struct{})
 				return fmt.Errorf("failed to connect to ldap service, please check ldap status, error: %v", err)
 			}
 		}
+	} else {
+		klog.Info("Kubesphere-controller-manager starts without ldap option, it will not sync user into ldap")
 	}
 
 	var openpitrixClient openpitrix.Client
diff --git a/pkg/apiserver/authentication/authenticators/jwttoken/jwt_token.go b/pkg/apiserver/authentication/authenticators/jwttoken/jwt_token.go
index a75734fd77700c051a25ba0a3a6f1b94bcfeead3..09c55cb13a77adc02128c1733f511ae13c590961 100644
--- a/pkg/apiserver/authentication/authenticators/jwttoken/jwt_token.go
+++ b/pkg/apiserver/authentication/authenticators/jwttoken/jwt_token.go
@@ -22,6 +22,7 @@ import (
 	"k8s.io/apiserver/pkg/authentication/authenticator"
 	"k8s.io/apiserver/pkg/authentication/user"
 	"k8s.io/klog"
+
 	iamv1alpha2listers "kubesphere.io/kubesphere/pkg/client/listers/iam/v1alpha2"
 	"kubesphere.io/kubesphere/pkg/models/iam/im"
 )
diff --git a/pkg/controller/user/user_controller.go b/pkg/controller/user/user_controller.go
index 4409d52691070b6462d724b19f7173a0c4528c69..59638a4479e681176e0b2589f9813246dd4e661f 100644
--- a/pkg/controller/user/user_controller.go
+++ b/pkg/controller/user/user_controller.go
@@ -287,9 +287,12 @@ func (c *Controller) reconcile(key string) error {
 		if sliceutil.HasString(user.ObjectMeta.Finalizers, finalizer) {
 
 			klog.V(4).Infof("delete user %s", key)
-			if err = c.ldapClient.Delete(key); err != nil && err != ldapclient.ErrUserNotExists {
-				klog.Error(err)
-				return err
+			// we do not need to delete the user from ldapServer when ldapClient is nil
+			if c.ldapClient != nil {
+				if err = c.ldapClient.Delete(key); err != nil && err != ldapclient.ErrUserNotExists {
+					klog.Error(err)
+					return err
+				}
 			}
 
 			if err = c.deleteRoleBindings(user); err != nil {
@@ -329,9 +332,12 @@ func (c *Controller) reconcile(key string) error {
 		return nil
 	}
 
-	if err = c.ldapSync(user); err != nil {
-		klog.Error(err)
-		return err
+	// we do not need to sync ldap info when ldapClient is nil
+	if c.ldapClient != nil {
+		if err = c.ldapSync(user); err != nil {
+			klog.Error(err)
+			return err
+		}
 	}
 
 	if user, err = c.ensurePasswordIsEncrypted(user); err != nil {