diff --git a/management/univention-directory-manager-modules/univention-dnsedit b/management/univention-directory-manager-modules/univention-dnsedit
index 5322eb6052..cc84cd3e15 100755
--- a/management/univention-directory-manager-modules/univention-dnsedit
+++ b/management/univention-directory-manager-modules/univention-dnsedit
@@ -102,7 +102,7 @@ def parse():
 	if options.bindpwdfile:
 		options.bindpwd = open(options.bindpwdfile).read().strip()
 	if options.binddn and not options.bindpwd:
-		msg = 'authentication error: missing --bindpwd'
+		msg = 'authentication error: missing any of --bindpwdfile or --bindpwd'
 	elif not options.binddn and options.bindpwd:
 		msg = 'authentication error: missing --binddn'
 	if msg:
diff --git a/management/univention-join/joinscripthelper.lib b/management/univention-join/joinscripthelper.lib
index 4728323add..275aa1f123 100644
--- a/management/univention-join/joinscripthelper.lib
+++ b/management/univention-join/joinscripthelper.lib
@@ -294,21 +294,22 @@ joinscript_log_error() {
 	done
 }
 
-# 1 binddn, 2 bindpwdfile, create join credential files /var/univention-join/binddn and /var/univention-join/bindpwd
+# 1 binddn, 2 bindpwdfile, create join credential files /var/run/univention-join/binddn and /var/run/univention-join/bindpwd
 joinscript_create_credentialfiles () {
-	mkdir -p /var/univention-join
-	touch /var/univention-join/binddn
-	chmod 600 /var/univention-join/binddn
-	echo "$1" > /var/univention-join/binddn
-	touch /var/univention-join/bindpwd
-	chmod 600 /var/univention-join/bindpwd
-	cp "$2" /var/univention-join/bindpwd
+	mkdir -p /var/run/univention-join
+	chmod 700 /var/run/univention-join
+	touch /var/run/univention-join/binddn
+	chmod 600 /var/run/univention-join/binddn
+	echo "$1" > /var/run/univention-join/binddn
+	touch /var/run/univention-join/bindpwd
+	chmod 600 /var/run/univention-join/bindpwd
+	cp "$2" /var/run/univention-join/bindpwd
 }
 
 # remove join credential files
 joinscript_remove_credentialfiles () {
-	test -e /var/univention-join/bindpwd && rm /var/univention-join/bindpwd
-	test -e /var/univention-join/binddn && rm /var/univention-join/binddn
+	rm -f /var/run/univention-join/bindpwd \
+		/var/run/univention-join/binddn
 }
 
 # join script can be called with --bindpwdfile
@@ -319,7 +320,7 @@ joinscript_check_api_bindpwdfile () {
 	return 1
 }
 
-# join script does not need domain credentials at all
+# join script does not require domain credentials to be passed
 joinscript_check_api_nocredentials () {
 	if grep -q '^## joinscript api: nocredentials$' "$1"; then
 		return 0
@@ -327,12 +328,4 @@ joinscript_check_api_nocredentials () {
 	return 1
 }
 
-# join script gets credentials from /var/univention-join/binddn and /var/univention-join/bindpwd by itself
-joinscript_check_api_credentialfiles () {
-	if grep -q '^## joinscript api: credentialfiles$' "$1"; then
-		return 0
-	fi
-	return 1
-}
-
 # vim:set ft=sh:
diff --git a/management/univention-join/univention-join b/management/univention-join/univention-join
index 55a6712aa8..38eddacf46 100755
--- a/management/univention-join/univention-join
+++ b/management/univention-join/univention-join
@@ -191,6 +191,7 @@ run_join_scripts () {
 
 	LC_COLLATE="C"
 	joinscript_check_status_file
+	trap "rm -f '$DCPWD' /var/run/univention-join/binddn /var/run/univention-join/bindpwd" EXIT
 	joinscript_create_credentialfiles "$binddn" "$DCPWD"
 
 	if test -d "/usr/lib/univention-install/"; then
@@ -207,7 +208,7 @@ run_join_scripts () {
 			local args=()
 			if joinscript_check_api_bindpwdfile "$i"; then
 				args=(--binddn "$binddn" --bindpwdfile "$DCPWD")
-			elif joinscript_check_api_nocredentials "$i" || joinscript_check_api_credentialfiles "$i"; then
+			elif joinscript_check_api_nocredentials "$i"; then
 				args=()
 			else
 				args=(--binddn "$binddn" --bindpwd "$(<"$DCPWD")")
diff --git a/management/univention-join/univention-run-join-scripts b/management/univention-join/univention-run-join-scripts
index a4dfa42c26..755afe6b02 100755
--- a/management/univention-join/univention-run-join-scripts
+++ b/management/univention-join/univention-run-join-scripts
@@ -143,7 +143,7 @@ if [ ! "$server_role" = "domaincontroller_master" ] || [ -n "$ASK_PASS" ] ; then
 		echo -n "Enter DC Master Password: "
 		read -s password
 		DCPWD=$(mktemp)
-		trap "rm -f '$DCPWD'" EXIT
+		trap "rm -f '$DCPWD' /var/run/univention-join/binddn /var/run/univention-join/bindpwd" EXIT
 		echo -n "$password" >>"$DCPWD"
 		echo ""
 		echo ""
@@ -246,7 +246,7 @@ then
 			args=()
 			if joinscript_check_api_bindpwdfile "$i"; then
 				args=(--binddn "$binddn" --bindpwdfile "$DCPWD")
-			elif joinscript_check_api_nocredentials "$i" || joinscript_check_api_credentialfiles "$i"; then
+			elif joinscript_check_api_nocredentials "$i"; then
 				args=()
 			else
 				args=(--binddn "$binddn" --bindpwd "$(<"$DCPWD")")