diff --git a/machines/gerd/services/authelia.nix b/machines/gerd/services/authelia.nix
index 16101c3..3587a36 100644
--- a/machines/gerd/services/authelia.nix
+++ b/machines/gerd/services/authelia.nix
@@ -91,6 +91,7 @@ in {
     authelia-storage.owner = "authelia-main";
     authelia-session.owner = "authelia-main";
     authelia-oidc-issuer-privatekey-pem.owner = "authelia-main";
-    authelia-lldap-bind-user-pass.owner = "authelia-main";
   };
+
+  users.groups."${config.age.secrets.lldap-bind-user-pass.group}".members = [ config.users.users.authelia-main.name ];
 }
diff --git a/machines/gerd/services/lldap.nix b/machines/gerd/services/lldap.nix
index 19e8eef..cf58b29 100644
--- a/machines/gerd/services/lldap.nix
+++ b/machines/gerd/services/lldap.nix
@@ -12,7 +12,7 @@
 
     environment = {
       # always set admin password on startup
-      LLDAP_LDAP_USER_PASS_FILE = config.age.secrets.lldap-user-pass.path;
+      LLDAP_LDAP_USER_PASS_FILE = config.age.secrets.lldap-admin-user-pass.path;
       # only available on the newest master branch, will be enabled when a 
       # new version is released.
       # https://github.com/lldap/lldap/issues/790
@@ -35,6 +35,6 @@
   users.users.lldap = { group = "lldap"; isSystemUser = true; };
   users.groups.lldap = {};
   age.secrets = {
-    lldap-user-pass.owner = "lldap";
+    lldap-admin-user-pass.owner = "lldap";
   };
 }
diff --git a/secrets/default.nix b/secrets/default.nix
index d02ef2a..a64d3e9 100644
--- a/secrets/default.nix
+++ b/secrets/default.nix
@@ -1,3 +1,5 @@
+{ config, ... }:
+
 {
   age.secrets = {
     # authelia
@@ -6,13 +8,19 @@
     authelia-session.file = ./authelia/session.age;
     authelia-oidc-issuer-privatekey-pem.file = ./authelia/oidc-issuer-privatekey-pem.age;
     authelia-oidc-issuer-privatekey-crt.file = ./authelia/oidc-issuer-privatekey-crt.age;
-    authelia-lldap-bind-user-pass.file = ./authelia/lldap-bind-user-pass.age;
 
     # lldap
-    lldap-user-pass.file = ./lldap/user-pass.age;
+    lldap-admin-user-pass.file = ./lldap/admin-user-pass.age;
+    lldap-bind-user-pass = {
+      file = ./lldap/bind-user-pass.age;
+      group = "secrets-lldap-bind-user-pass";
+      mode = "0440";
+    };
 
     # mumble
     murmur-env.file = ./murmur/env.age;
     murmur-superpassword.file = ./murmur/superpassword.age;
   };
+
+  users.groups.secrets-lldap-bind-user-pass = {};
 }
diff --git a/secrets/lldap/user-pass.age b/secrets/lldap/admin-user-pass.age
similarity index 100%
rename from secrets/lldap/user-pass.age
rename to secrets/lldap/admin-user-pass.age
diff --git a/secrets/authelia/lldap-bind-user-pass.age b/secrets/lldap/bind-user-pass.age
similarity index 100%
rename from secrets/authelia/lldap-bind-user-pass.age
rename to secrets/lldap/bind-user-pass.age
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 8030755..066a77f 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -16,10 +16,10 @@ in
   "authelia/session.age".publicKeys = defaultAccess;
   "authelia/oidc-issuer-privatekey-pem.age".publicKeys = defaultAccess;
   "authelia/oidc-issuer-privatekey-crt.age".publicKeys = defaultAccess;
-  "authelia/lldap-bind-user-pass.age".publicKeys = defaultAccess;
 
   # lldap
-  "lldap/user-pass.age".publicKeys = defaultAccess;
+  "lldap/admin-user-pass.age".publicKeys = defaultAccess;
+  "lldap/bind-user-pass.age".publicKeys = defaultAccess;
 
   # mumble
   "murmur/env.age".publicKeys = defaultAccess;