diff --git a/certidude/templates/certidude-server.conf b/certidude/templates/certidude-server.conf
index 4cacafb..b5da14a 100644
--- a/certidude/templates/certidude-server.conf
+++ b/certidude/templates/certidude-server.conf
@@ -15,9 +15,12 @@ backends = pam
 # address are looked up. In case of 'posix' basically 'getent passwd' is performed,
 # in case of 'ldap' a search is performed on LDAP server specified in /etc/ldap/ldap.conf
 # with Kerberos credential cache initialized at path specified by environment variable KRB5CCNAME
+# If certidude setup authority was performed correctly the credential cache should be
+# updated automatically by /etc/cron.hourly/certidude
 
 backend = posix
 ;backend = ldap
+ldap gssapi credential cache = /run/certidude/krb5cc
 
 [authorization]
 # The authorization backend specifies how the users are authorized.
diff --git a/certidude/templates/ldap-ticket-renewal.sh b/certidude/templates/ldap-ticket-renewal.sh
index 7c07217..9f91c28 100644
--- a/certidude/templates/ldap-ticket-renewal.sh
+++ b/certidude/templates/ldap-ticket-renewal.sh
@@ -1,5 +1,6 @@
 #!/bin/bash
-KRB5CCNAME={{ticket_path}}.part kinit -k {{name}}$ -S ldap/dc1.{{domain}}@{{realm}} -t /etc/krb5.keytab
-chown certidude:certidude {{ticket_path}}.part
-mv {{ticket_path}}.part {{ticket_path}}
+mkdir -p /run/certidude
+KRB5CCNAME=/run/certidude/krb5cc.part kinit -k {{name}}$ -S ldap/dc1.{{domain}}@{{realm}} -t /etc/krb5.keytab
+chown certidude:certidude /run/certidude/krb5cc.part
+mv /run/certidude/krb5cc.part /run/certidude/krb5cc