diff --git a/modules/nixos/ipa.nix b/modules/nixos/ipa.nix
index abe8cdcc..1bff4e78 100644
--- a/modules/nixos/ipa.nix
+++ b/modules/nixos/ipa.nix
@@ -31,6 +31,40 @@ in {
         default = false;
         description = "allow the ipa module to override the ntp configuration";
       };
+      openldap = mkOption {
+        type = bool;
+        default = false;
+        description = "allow the ipa module to override ldap.conf";
+      };
+    };
+    openldap = {
+      settings = {
+        uri = mkOption {
+          type = str;
+          default = "ldaps://${cfg.server}";
+        };
+        base = mkOption {
+          type = str;
+          default = cfg.basedn;
+        };
+        tls_cacert = mkOption {
+          type = str;
+          default = "/etc/ipa/ca.crt";
+        };
+        sasl_nocanon = mkOption {
+          type = bool;
+          default = true;
+        };
+      };
+      extraConfig = mkOption {
+        type = lines;
+        default = ''
+          SASL_NOCANON ${if cfg.openldap.settings.sasl_nocanon or false then "on" else "off"}
+          URI ${cfg.openldap.settings.uri}
+          BASE ${cfg.openldap.settings.base}
+          TLS_CACERT ${cfg.openldap.settings.tls_cacert}
+        '';
+      };
     };
   };
   config.services.sssd = let
@@ -144,4 +178,10 @@ in {
     mkIf (cfg.enable && !cfg.overrideConfigs.krb5) {
       text = mkForce (format.generate "krb5.conf" krb5.settings).text;
     };
+  config.environment.etc."ldap.conf" = let
+    ldapConf = cfg.openldap.extraConfig;
+  in
+    mkIf (cfg.enable && !cfg.overrideConfigs.openldap) {
+      source = mkForce (pkgs.writeText "ldap.conf" ldapConf);
+    };
 }
diff --git a/modules/nixos/ldap/management.nix b/modules/nixos/ldap/management.nix
index 985697c0..7e211aa8 100644
--- a/modules/nixos/ldap/management.nix
+++ b/modules/nixos/ldap/management.nix
@@ -129,6 +129,7 @@ in {
       # man 5 ldap.conf
       LDAPBASE = ldap.base;
       LDAPURI = "ldaps://ldap.int.${config.networking.domain}";
+      LDAPTLS_CACERT = "/etc/ssl/certs/ca-bundle.crt";
     };
     ldapAuth = mkMerge [
       (mkIf config.security.krb5.enable (mapOptionDefaults {
diff --git a/nixos/ipa.nix b/nixos/ipa.nix
index 266f2236..dfb890a1 100644
--- a/nixos/ipa.nix
+++ b/nixos/ipa.nix
@@ -24,7 +24,9 @@ in {
       overrideConfigs = {
         krb5 = mkDefault false;
         sssd = mkDefault false;
+        openldap = false;
       };
+      openldap.settings.tls_cacert = "/etc/ssl/certs/ca-bundle.crt";
     };
   };
 }
diff --git a/nixos/samba.nix b/nixos/samba.nix
index aa6c354e..211bf626 100644
--- a/nixos/samba.nix
+++ b/nixos/samba.nix
@@ -100,7 +100,8 @@ in {
         "ldap group suffix" = removeSuffix "," ldap.groupDnSuffix;
         "ldap machine suffix" = removeSuffix "," ldap.hostDnSuffix;
         "ldap idmap suffix" = removeSuffix "," ldap.idViewDnSuffix;
-        "ldap server require strong auth" = "allow_sasl_over_tls";
+        "ldap server require strong auth" = "allow_sasl_without_tls_channel_bindings";
+        #"tls trust system cas" = true;
         # TODO: ldap delete dn?
         # TODO: username map script?
       })