diff --git a/nss-pam-ldapd/Dockerfile b/nss-pam-ldapd/Dockerfile
index 8bc9d8724c1bad3294dd09528fe8abe55e316ede..b142ebabce131eedd44bbbf67afafe4b705cbc7d 100644
--- a/nss-pam-ldapd/Dockerfile
+++ b/nss-pam-ldapd/Dockerfile
@@ -9,13 +9,15 @@ RUN apt-get update && \
     mkdir -p /run/nslcd && \
     chown -R nslcd:nslcd /run/nslcd/ && \
     sed -i 's/compat/compat ldap/g' /etc/nsswitch.conf && \
-    rm -rf /tmp/* /var/tmp/* /var/lib/apt/lists/* /var/cache/apt/archives/* /etc/nslcd.conf
+    apt-get clean && \
+    rm -rf /tmp/* /var/tmp/* /var/lib/apt/lists/* /etc/nslcd.conf
 COPY --chown=root:root entrypoint /
 ENV LDAP_URIS=ldapi:/// \
     LDAP_AUTH_TYPE=none \
     LDAP_STARTTLS=false \
     LDAP_BASE_DN="dc=trusted" \
-    LDAP_CACERTFILE=/etc/ssl/certs/ca-certificates.crt
+    LDAP_CACERTFILE=/etc/ssl/certs/ca-certificates.crt \
+    LDAP_REQCERT=never
 ENTRYPOINT [ "/entrypoint" ]
 CMD [ "/usr/sbin/nslcd", "--nofork" ]
 HEALTHCHECK CMD pgrep nslcd || exit 1
diff --git a/nss-pam-ldapd/README.md b/nss-pam-ldapd/README.md
index 0b47ed779bb0cf1ad949a59c996d9fca872a5766..45b0fbe779a0be0be6a609570e72a5f4ac396e7f 100644
--- a/nss-pam-ldapd/README.md
+++ b/nss-pam-ldapd/README.md
@@ -18,6 +18,7 @@ Name | Default value
 `LDAP_STARTTLS` | `false`
 `LDAP_BASE_DN` | `dc=trusted`
 `LDAP_CACERTFILE` | `/etc/ssl/certs/ca-certificates.crt`
+`LDAP_REQCERT` | `never`
 
 ## License
 
diff --git a/nss-pam-ldapd/entrypoint b/nss-pam-ldapd/entrypoint
index 356b649b1606eedb3029405cb251e79f02482378..8ba43f24e5c07e8f6b01f53116194687ed706b35 100755
--- a/nss-pam-ldapd/entrypoint
+++ b/nss-pam-ldapd/entrypoint
@@ -19,6 +19,19 @@ nslcd	nslcd/ldap-cacertfile	string	${LDAP_CACERTFILE:-}
 nslcd	nslcd/ldap-sasl-secprops	string	${LDAP_SASL_SECPROPS:-}
 EOF
 
-dpkg-reconfigure -f noninteractive nslcd
+DEBIAN_FRONTEND=noninteractive dpkg-reconfigure -f noninteractive nslcd
+
+cat << EOF | tee /etc/ldap/ldap.conf
+URI ${LDAP_URIS:-}
+BASE ${LDAP_BASE_DN:-}
+BINDDN ${LDAP_BINDDN:-}
+SASL_MECH ${LDAP_SASL_MECH:-}
+SASL_REALMa ${LDAP_SASL_REALM:-}
+SASL_AUTHCID ${LDAP_SASL_AUTHCID:-}
+SASL_AUTHZID ${LDAP_SASL_AUTHZID:-}
+SASL_SECPROPS ${LDAP_SASL_SECPROPS:-}
+TLS_CACERT  ${LDAP_SASL_SECPROPS:-}
+TLS_REQCERT ${LDAP_REQCERT:-}
+EOF
 
 eval exec gosu "nslcd:nslcd" "$@"