diff --git a/misc/pam_authentication/ldap.conf b/misc/pam_authentication/ldap.conf
index aca5b0491bc937997f7e70efae09d92c55564e67..117d1074915e3cacd9a97b83b5a2e83e3c50d451 100644
--- a/misc/pam_authentication/ldap.conf
+++ b/misc/pam_authentication/ldap.conf
@@ -2,6 +2,6 @@
 
 
 # Set the ldap server here.  This is also used to generate a fully qualified
-# user name.
+# user name: <USER>@$LDAP_SERVER
 
 # LDAP_SERVER="example.com"
diff --git a/misc/pam_authentication/ldap_authentication.sh b/misc/pam_authentication/ldap_authentication.sh
index 1e3ee2e8da5cc4aed55c55359ae1086e6b7de129..f887bf99f47c827fd712d2189a5ca89ec2981e6c 100755
--- a/misc/pam_authentication/ldap_authentication.sh
+++ b/misc/pam_authentication/ldap_authentication.sh
@@ -21,10 +21,10 @@
 #
 # ** end header
 
-# Try to authenticate a user ($1) with a password ($2) via LDAP
+# Try to authenticate a user ($1) via LDAP, either via stdin or a password file ($2, if given).
 
-[[ "$#" == "2" ]] || {
-    echo "call this script with two arguments: user and password"
+[[ "$#" == "1" || "$#" == "2" ]] || {
+    echo "Call this script as: $0 <user> [<password file>]"
     exit 1
 }
 
@@ -33,11 +33,17 @@
 exe_dir=$(dirname $0)
 . "$exe_dir/"ldap.conf
 
+# If the second argument is empty or "-", take password from stdin, else use the argument as a file.
 testpw() {
     username="${1}@${LDAP_SERVER}"
-    pw="$2"
+    pwfile="$2"
+    pwargs=("-w" "$pwfile")
+    if [[ $pwfile == "-" ]] ; then
+        pwargs=("-W")
+    fi
 
-    if timeout 5s ldapwhoami -x -H "ldap://$LDAP_SERVER" -D "$username" -w "$pw"; then
+    export LDAPTLS_REQCERT=ALLOW
+    if timeout 5s ldapwhoami -x -H "ldaps://$LDAP_SERVER" -D "$username" "${pwargs[@]}"; then
         return 0
     else
         ret_code="$?"
@@ -48,7 +54,7 @@ testpw() {
         return "$ret_code"
     fi
 
-    ldapwhoami -x -H "ldap://$LDAP_SERVER" -D "$username" -w "$pw"
+    ldapwhoami -x -H "ldaps://$LDAP_SERVER" -D "$username" "${pwargs[@]}"
 
 }