users.ldap = {                                                                                                     
      enable = true;                                                                                                   
      loginPam = true;                                                                                                 
      server = "ldap://localhost";                                                                                     
      base = "dc=example,dc=org";                                                                                      
      bind = {                                                                                                         
        distinguishedName = "uid=pam,ou=services,dc=example,dc=org";                                                   
        passwordFile = "/var/secrets/ldap/pam_password";                                                               
      };                                                                                                               
    };