diff --git a/services/lldap.nix b/services/lldap.nix
index d84cfa3..7ed6f2b 100644
--- a/services/lldap.nix
+++ b/services/lldap.nix
@@ -3,10 +3,13 @@
 in {
   age.secrets = {
     "hidden_service/lldap".file = ../secrets/hidden_service/lldap;
-    "lldap_root_pass".file = ../secrets/lldap_root_pass;
-  }
+    "lldap_root_pass" = {
+      file = ../secrets/lldap_root_pass;
+      mode = "0440";
+      group = "lldap-secrets";
+    };
+  };
   
-
   services.lldap = {
     enable = true;
     settings = {
@@ -16,7 +19,7 @@ in {
       ldap_user_dn = "root";
       ldap_base_dn = "dc=distrust,dc=network";
       ldap_user_pass_file = config.age.secrets."lldap_root_pass".path;
-      force_ldap_user_pass_reset = true;
+      force_ldap_user_pass_reset = "always";
     };
   };
 
@@ -36,4 +39,10 @@ in {
       ];
     };
   };
+  
+  # Creates a group for the LLDAP DynamicUser to read the secret
+  users.groups.lldap-secrets = {};
+  systemd.services.lldap.serviceConfig = {
+    SupplementaryGroups = [ "lldap-secrets" ];
+  };
 }