diff --git a/misc/pam_authentication/ldap.conf b/misc/pam_authentication/ldap.conf
deleted file mode 100644
index 664dd7c97524242fdb1ea7015bbc0e26c087b062..0000000000000000000000000000000000000000
--- a/misc/pam_authentication/ldap.conf
+++ /dev/null
@@ -1,8 +0,0 @@
-# This file is sourced by the LDAP authentication script
-
-# Set the ldap server here.
-# LDAP_SERVER="example.com"
-
-# Set the ldap domain here. This is used to generate a fully qualified
-# user name: <USER>@$LDAP_DOMAIN
-# LDAP_DOMAIN="example.com"
diff --git a/misc/pam_authentication/ldap.env b/misc/pam_authentication/ldap.env
new file mode 100644
index 0000000000000000000000000000000000000000..c40018c26735c3c7e65679b8269e5d1a40612bba
--- /dev/null
+++ b/misc/pam_authentication/ldap.env
@@ -0,0 +1,39 @@
+# ldap.env - This file is sourced by the LDAP authentication script.
+#
+# Please see https://linux.die.net/man/5/ldap.conf for more client
+# configuration variables.
+
+# REQUIRED - Set the ldap server here,
+export LDAPURI="ldap[s]://<ldap-service>[:<port>]/"
+
+# REQUIRED - Set the base domain here. This is used to generate a fully qualified
+# user name, a Distinguished Name (DN), with the BIND_DN_PATTERN:
+export USER_BASE="dc=example,dc=org" # for actual LDAP servers
+#export USER_BASE="example.org" # for MS Active Directory
+
+# REQUIRED if USER_BASE is configured for LDAP servers. The BIND_DN_PATTERN is
+# used to construct the DN from the USER_NAME and the USER_BASE. Be sure to
+# surround it with single quotation marks "'" because the variable are to be
+# expanded by the script. Defaults to the first
+#export BIND_DN_PATTERN='cn=${USER_NAME},${USER_BASE}' # for actual LDAP servers.
+#export BIND_DN_PATTERN='${USER_NAME}@${USER_BASE}' # for MS Active Directory
+
+
+
+# TLS SETTINGS
+
+# Specifies what checks to perform on server certificates in a TLS session, if
+# any. Defaults to "hard" which means that a successful TLS-certificate check
+# is necessary.
+#export LDAPTLS_REQCERT=never
+#export LDAPTLS_REQCERT=allow
+#export LDAPTLS_REQCERT=try
+export LDAPTLS_REQCERT=hard
+
+# Specifies the file that contains certificates for all of the Certificate
+# Authorities the client will recognize.
+export LDAPTLS_CACERT="<filename>"
+
+# Specifies the path of a directory that contains Certificate Authority
+# certificates in separate individual files.
+#export LDAPTLS_CACERTDIR=<path>
diff --git a/misc/pam_authentication/ldap_authentication.sh b/misc/pam_authentication/ldap_authentication.sh
index 1b86b8e1783399e2c43b92981a43789accb21e7d..662320c39e4741237049dada513828831c8cb2b0 100755
--- a/misc/pam_authentication/ldap_authentication.sh
+++ b/misc/pam_authentication/ldap_authentication.sh
@@ -24,38 +24,31 @@
 # Try to authenticate a user ($1) via LDAP, either via stdin or a password file ($2, if given).
 
 [[ "$#" == "1" || "$#" == "2" ]] || {
-    echo "Call this script as: $0 <user> [<password file>]"
+    echo "Call this script as: $0 <user> [-|<password file>]"
     exit 1
 }
 
-# set LDAP_SERVER here
-# e.g. `LDAP_SERVER=example.com`
-exe_dir=$(dirname $0)
-. "$exe_dir/"ldap.conf
+# Load all LDAP client settings
+exe_dir=$(dirname "$0")
+. "$exe_dir/ldap.env"
+LDAPTLS_REQCERT="${LDAP_TLS_REQCERT:-hard}"
+BIND_DN_PATTERN="${BIND_DN_PATTERN:-'cn=${USER_NAME},${USER_BASE}'}"
 
 # If the second argument is empty or "-", take password from stdin, else use the argument as a file.
 testpw() {
-    username="${1}@${LDAP_DOMAIN}"
+    local USER_NAME bind_dn pwfile pwargs
+    USER_NAME="$1"
+    bind_dn="$(eval "echo \"$BIND_DN_PATTERN\"")"
+
     pwfile="$2"
-    pwargs=("-w" "$pwfile")
-    if [[ $pwfile == "-" ]] ; then
+    pwargs=("-y" "$pwfile")
+    if [[ "$pwfile" == "-" ]] ; then
+        pwargs=("-W")
+    elif [ -z "$pwfile" ] ; then
         pwargs=("-W")
     fi
 
-    export LDAPTLS_REQCERT=ALLOW
-    if timeout 5s ldapwhoami -x -H "ldaps://$LDAP_SERVER" -D "$username" "${pwargs[@]}"; then
-        return 0
-    else
-        ret_code="$?"
-    fi
-
-    # Possibly try a second time
-    if [[ "$ret_code" != "124" ]] ; then
-        return "$ret_code"
-    fi
-
-    ldapwhoami -x -H "ldaps://$LDAP_SERVER" -D "$username" "${pwargs[@]}"
-
+    ldapwhoami -o "nettimeout=10" -x -D "$bind_dn" "${pwargs[@]}"
 }
 
 if testpw "$1" "$2" ; then