diff --git a/applications/ldap.nix b/applications/ldap.nix
index abff1f1..fafe542 100644
--- a/applications/ldap.nix
+++ b/applications/ldap.nix
@@ -45,8 +45,15 @@ Gonna use a priper nixos module for this
   config = mkIf cfg.enable {
     # this is athe actual configuration that we need to do
 
-    # im poort in teh secrets for this
-    age.secrets.ldap_pw.file = ../secrets/ldap/pw.age;
+    # after changing teh password openldap.service has to be restarted
+    age.secrets.ldap_pw = {
+      file = ../secrets/ldap/pw.age;
+      mode = "440";
+      owner = "openldap";
+      group = "openldap";
+    };
+
+    # openldap
     age.secrets.ldap_self_service.file = ../secrets/ldap/self_service.age;
 
     skynet_dns.records.cname = [