diff --git a/utils/modules/ldap-auth.nix b/utils/modules/ldap-auth.nix
index 3d35b34..30b5d37 100644
--- a/utils/modules/ldap-auth.nix
+++ b/utils/modules/ldap-auth.nix
@@ -7,7 +7,7 @@ let
         -y ${config.sops.secrets.linuxbind-password.path} \
         -b "ou=users,dc=cloonar,dc=com" \
         "(uid=$1)" sshPublicKey \
-      | sed -n 's/^sshPublicKey: //p'
+      | ${pkgs.gnused}/bin/sed -n 's/^sshPublicKey: //p'
     '';
 in
 {
@@ -46,19 +46,35 @@ in
   };
 
   security.pam.services.login.makeHomeDir = true;
+  security.pam.services.sshd.makeHomeDir = true;
+  security.pam.services.sudo.makeHomeDir = true;
   security.pam.services.systemd-user.makeHomeDir = true;
   systemd.tmpfiles.rules = [
     "L /bin/bash - - - - /run/current-system/sw/bin/bash"
   ];
 
+  environment.etc."ssh/ldap-authorized-keys" = {
+    source = ldapAuthorizedKeys;
+    mode   = "0555";     # executable, not writable
+  };
+
   services.openssh = {
     settings = {
-      AuthorizedKeysCommand      = toString ldapAuthorizedKeys;
+      AuthorizedKeysCommand      = "/etc/ssh/ldap-authorized-keys";
       AuthorizedKeysCommandUser  = "nslcd";   # default is “nobody” :contentReference[oaicite:0]{index=0}
       PubkeyAuthentication       = "yes";
     };
   };
 
+  users.users.nslcd = {
+    isSystemUser = true;
+    group = "nslcd";
+  };
+
+  users.groups.nslcd = {};
+
   sops.secrets.sssd-environment = {};
-  sops.secrets.linuxbind-password = {};
+  sops.secrets.linuxbind-password = {
+    owner = "nslcd";
+  };
 }