diff --git a/authentik/root/settings.py b/authentik/root/settings.py
index 064516571..5060215fe 100644
--- a/authentik/root/settings.py
+++ b/authentik/root/settings.py
@@ -320,7 +320,7 @@ CELERY_RESULT_BACKEND = (
 # Database backup
 DBBACKUP_STORAGE = "django.core.files.storage.FileSystemStorage"
 DBBACKUP_STORAGE_OPTIONS = {"location": "./backups" if DEBUG else "/backups"}
-DBBACKUP_FILENAME_TEMPLATE = 'authentik-backup-{datetime}.sql'
+DBBACKUP_FILENAME_TEMPLATE = "authentik-backup-{datetime}.sql"
 if CONFIG.y("postgresql.s3_backup"):
     DBBACKUP_STORAGE = "storages.backends.s3boto3.S3Boto3Storage"
     DBBACKUP_STORAGE_OPTIONS = {
diff --git a/outpost/pkg/ldap/instance_bind.go b/outpost/pkg/ldap/instance_bind.go
index e9cb527f0..6ba7d1d4b 100644
--- a/outpost/pkg/ldap/instance_bind.go
+++ b/outpost/pkg/ldap/instance_bind.go
@@ -67,7 +67,7 @@ func (pi *ProviderInstance) Bind(username string, bindPW string, conn net.Conn)
 	}
 	params := url.Values{}
 	params.Add("goauthentik.io/outpost/ldap", "true")
-	passed, err := pi.solveFlowChallenge(username, bindPW, client, params.Encode())
+	passed, err := pi.solveFlowChallenge(username, bindPW, client, params.Encode(), 1)
 	if err != nil {
 		pi.log.WithField("boundDN", username).WithError(err).Warning("failed to solve challenge")
 		return ldap.LDAPResultOperationsError, nil
@@ -139,7 +139,7 @@ func (pi *ProviderInstance) delayDeleteUserInfo(dn string) {
 	}()
 }
 
-func (pi *ProviderInstance) solveFlowChallenge(bindDN string, password string, client *http.Client, urlParams string) (bool, error) {
+func (pi *ProviderInstance) solveFlowChallenge(bindDN string, password string, client *http.Client, urlParams string, depth int) (bool, error) {
 	challenge, err := pi.s.ac.Client.Flows.FlowsExecutorGet(&flows.FlowsExecutorGetParams{
 		FlowSlug:   pi.flowSlug,
 		Query:      urlParams,
@@ -169,6 +169,10 @@ func (pi *ProviderInstance) solveFlowChallenge(bindDN string, password string, c
 	}
 	response, err := pi.s.ac.Client.Flows.FlowsExecutorSolve(responseParams, pi.s.ac.Auth)
 	pi.log.WithField("component", response.Payload.Component).WithField("type", *response.Payload.Type).Debug("Got response")
+	switch response.Payload.Component {
+	case "ak-stage-access-denied":
+		return false, errors.New("got ak-stage-access-denied")
+	}
 	if *response.Payload.Type == "redirect" {
 		return true, nil
 	}
@@ -184,5 +188,8 @@ func (pi *ProviderInstance) solveFlowChallenge(bindDN string, password string, c
 			}
 		}
 	}
-	return pi.solveFlowChallenge(bindDN, password, client, urlParams)
+	if depth >= 10 {
+		return false, errors.New("exceeded stage recursion depth")
+	}
+	return pi.solveFlowChallenge(bindDN, password, client, urlParams, depth+1)
 }
diff --git a/web/src/pages/outposts/OutpostHealth.ts b/web/src/pages/outposts/OutpostHealth.ts
index 9ec2654c2..eee784756 100644
--- a/web/src/pages/outposts/OutpostHealth.ts
+++ b/web/src/pages/outposts/OutpostHealth.ts
@@ -42,13 +42,12 @@ export class OutpostHealthElement extends LitElement {
             return html`<ak-spinner></ak-spinner>`;
         }
         if (this.outpostHealth.length === 0) {
-            return html`<li>
+            return html`
                 <ul>
                     <li role="cell">
                         <ak-label color=${PFColor.Grey} text=${t`Not available`}></ak-label>
                     </li>
-                </ul>
-            </li>`;
+                </ul>`;
         }
         return html`<ul>${this.outpostHealth.map((h) => {
             return html`<li>