diff --git a/modules/config/ldap.nix b/modules/config/ldap.nix
index 3821482..c023585 100644
--- a/modules/config/ldap.nix
+++ b/modules/config/ldap.nix
@@ -105,6 +105,24 @@ let
 in
 
 ###### implementation
+let
+
+  ldapConf = pkgs.writeText "ldap.conf" ''
+    uri ${config.users.ldap.server}
+    base ${config.users.ldap.base}
+    timelimit ${toString config.users.ldap.timeLimit}
+    bind_timelimit ${toString config.users.ldap.bind.timeLimit}
+    bind_policy ${config.users.ldap.bind.policy}
+    ${optionalString config.users.ldap.useTLS ''
+      ssl start_tls
+      tls_checkpeer no
+    ''}
+    ${optionalString (config.users.ldap.bind.distinguishedName != "") ''
+      binddn ${config.users.ldap.bind.distinguishedName}
+    ''}
+  '';
+
+in
 
 mkIf config.users.ldap.enable {
   require = [
@@ -117,35 +135,20 @@ mkIf config.users.ldap.enable {
 
       # Careful: OpenLDAP seems to be very picky about the indentation of
       # this file.  Directives HAVE to start in the first column!
-      { source = pkgs.writeText "ldap.conf"
-          ''
-            uri ${config.users.ldap.server}
-            base ${config.users.ldap.base}
-            timelimit ${toString config.users.ldap.timeLimit}
-            bind_timelimit ${toString config.users.ldap.bind.timeLimit}
-            bind_policy ${config.users.ldap.bind.policy}
-
-            ${optionalString config.users.ldap.useTLS ''
-              ssl start_tls
-              tls_checkpeer no
-            ''}
-
-            ${optionalString (config.users.ldap.bind.distinguishedName != "") ''
-              binddn ${config.users.ldap.bind.distinguishedName}
-            ''}
-          '';
+      { source = ldapConf;
         target = "ldap.conf";
       }
 
     ];
   };
 
-  system.activationScripts.ldap = stringAfter [ "etc" ] (
+  system.activationScripts.ldap = stringAfter [ "etc" "groups" "users" ] (
     optionalString (config.users.ldap.bind.distinguishedName != "") ''
-      if test -f "${config.users.ldap.bind.password}" ; then
-        echo "bindpw $(cat ${config.users.ldap.bind.password})" | cat /etc/ldap.conf - > /etc/ldap.conf.bindpw
+      if test -s "${config.users.ldap.bind.password}" ; then
+        echo "bindpw "$(cat ${config.users.ldap.bind.password})"" | cat ${ldapConf} - > /etc/ldap.conf.bindpw
         mv -fT /etc/ldap.conf.bindpw /etc/ldap.conf
-        chmod 600 /etc/ldap.conf
+        chmod 440 /etc/ldap.conf
+        ${optionalString (config.services.nscd.enable) "chown nscd /etc/ldap.conf"}
       fi
     ''
   );
diff --git a/modules/services/system/nscd.nix b/modules/services/system/nscd.nix
index 3f6ef51..d38b48d 100644
--- a/modules/services/system/nscd.nix
+++ b/modules/services/system/nscd.nix
@@ -64,7 +64,11 @@ in
         description = "Invalidate NSCD cache";
         startOn = "ip-up";
         task = true;
-        exec = "${pkgs.glibc}/sbin/nscd --invalidate hosts";
+        exec = ''
+          ${pkgs.glibc}/sbin/nscd --invalidate passwd
+          ${pkgs.glibc}/sbin/nscd --invalidate group
+          ${pkgs.glibc}/sbin/nscd --invalidate hosts
+        '';
       };
 
   };