diff --git a/Makefile.am b/Makefile.am
index 20ce1730b7..e8552c6b29 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -4045,7 +4045,7 @@ intgcheck-prepare:
 	    --with-files-provider \
 	    --with-session-recording-shell=/bin/false \
 	    $(INTGCHECK_CONFIGURE_FLAGS) \
-	    CFLAGS="-O2 -g $$CFLAGS"; \
+	    CFLAGS="-O2 -g $$CFLAGS -DINTGCHECK_BUILD"; \
 	$(MAKE) $(AM_MAKEFLAGS) ; \
 	$(MAKE) $(AM_MAKEFLAGS) test_ssh_client; \
 	: Force single-thread install to workaround concurrency issues; \
diff --git a/src/responder/pam/pamsrv.c b/src/responder/pam/pamsrv.c
index cd49c40664..55fce72f10 100644
--- a/src/responder/pam/pamsrv.c
+++ b/src/responder/pam/pamsrv.c
@@ -450,6 +450,18 @@ int main(int argc, const char *argv[])
 
     umask(DFL_RSP_UMASK);
 
+#ifndef INTGCHECK_BUILD
+    /* This is to clear dangerous variables like 'LDB_MODULES_PATH'
+     * from environment of privileged responder. It's easier to
+     * clear everything since 'sssd_pam' shouldn't rely on any.
+     */
+    ret = clearenv();
+    if (ret != 0) {
+        fprintf(stderr, "Failed to clear env.\n");
+        return 1;
+    }
+#endif  /* 'intgcheck' relies on 'LDB_MODULES_PATH' to setup a test env */
+
     pc = poptGetContext(argv[0], argc, argv, long_options, 0);
     while((opt = poptGetNextOpt(pc)) != -1) {
         switch(opt) {