diff --git a/misc/pam_authentication/ldap.env b/misc/pam_authentication/ldap.env
index 958b3c62253d558e16b92815e8dc2e99e6e5dfe1..57862d116f6c02aa96bb5e94fa005eec58c9d063 100644
--- a/misc/pam_authentication/ldap.env
+++ b/misc/pam_authentication/ldap.env
@@ -13,11 +13,17 @@ export USER_BASE="dc=example,dc=org" # for actual LDAP servers
 
 # The BIND_DN_PATTERN is used to construct the DN from the USER_NAME and the
 # USER_BASE. Be sure to surround it with single quotation marks "'" because the
-# variable are to be expanded by the script. Defaults to the first
+# variables inside are to be expanded by the script. Defaults to the first
 #export BIND_DN_PATTERN='cn=${USER_NAME},${USER_BASE}' # for actual LDAP servers.
 #export BIND_DN_PATTERN='${USER_NAME}@${USER_BASE}' # for MS Active Directory
 
-
+# The WHO_AM_I_PATTERN is used to construct the expected representation of the
+# bound user account. Normal LDAP servers return "dn:<dn>" but MS Active
+# Directory chooses to return "u:<domain>\<user_name>" instead. Be sure to
+# surround it with single quotation marks "'" because the variables inside are
+# to be expanded by the script. Defaults to the first.
+#export WHO_AM_I_PATTERN='dn:cn=${USER_NAME},${USER_BASE}' # for actual LDAP servers.
+#export WHO_AM_I_PATTERN='u:<domain>\${USER_NAME}' # for MS Active Directory
 
 # TLS SETTINGS
 
@@ -29,10 +35,14 @@ export USER_BASE="dc=example,dc=org" # for actual LDAP servers
 #export LDAPTLS_REQCERT=try
 #export LDAPTLS_REQCERT=hard
 
+# In some cases there is no need for specifying the TLS certificates here, e.g.
+# when they are installed system-wide. If that does not work, use these
+# variables:
+
 # Specifies the file that contains certificates for all of the Certificate
 # Authorities the client will recognize.
-export LDAPTLS_CACERT="<filename>"
+#export LDAPTLS_CACERT="<filename>"
 
 # Specifies the path of a directory that contains Certificate Authority
 # certificates in separate individual files.
-#export LDAPTLS_CACERTDIR=<path>
+#export LDAPTLS_CACERTDIR="<path>"
diff --git a/misc/pam_authentication/ldap_authentication.sh b/misc/pam_authentication/ldap_authentication.sh
index 662320c39e4741237049dada513828831c8cb2b0..23011f9911b9e68cdfda429603ee7c7ae41e993a 100755
--- a/misc/pam_authentication/ldap_authentication.sh
+++ b/misc/pam_authentication/ldap_authentication.sh
@@ -33,22 +33,31 @@ exe_dir=$(dirname "$0")
 . "$exe_dir/ldap.env"
 LDAPTLS_REQCERT="${LDAP_TLS_REQCERT:-hard}"
 BIND_DN_PATTERN="${BIND_DN_PATTERN:-'cn=${USER_NAME},${USER_BASE}'}"
+WHO_AM_I_PATTERN="${WHO_AM_I_PATTERN:-'dn:${USER_NAME},${USER_BASE}'}"
 
 # If the second argument is empty or "-", take password from stdin, else use the argument as a file.
 testpw() {
-    local USER_NAME bind_dn pwfile pwargs
+    local USER_NAME bind_dn who_am_i pwfile pwargs result
     USER_NAME="$1"
     bind_dn="$(eval "echo \"$BIND_DN_PATTERN\"")"
+    who_am_i="$(eval "echo \"$WHO_AM_I_PATTERN\"")"
 
     pwfile="$2"
     pwargs=("-y" "$pwfile")
-    if [[ "$pwfile" == "-" ]] ; then
+    if [ "$pwfile" = "-" ] ; then
         pwargs=("-W")
     elif [ -z "$pwfile" ] ; then
         pwargs=("-W")
     fi
 
-    ldapwhoami -o "nettimeout=10" -x -D "$bind_dn" "${pwargs[@]}"
+    result="$(ldapwhoami -o "nettimeout=10" -x -D "$bind_dn" "${pwargs[@]}")"
+    if [ "$?" -ne "0" ] ; then
+        return 1
+    elif [ "$result" = "$who_am_i" ] ; then
+        return 0
+    fi
+    return 1
+
 }
 
 if testpw "$1" "$2" ; then