diff --git a/cluster/services/idm/default.nix b/cluster/services/idm/default.nix
index e9c111d..ffbe949 100644
--- a/cluster/services/idm/default.nix
+++ b/cluster/services/idm/default.nix
@@ -1,10 +1,18 @@
-{ tools, ... }:
+{ config, tools, ... }:
 
 {
-  links.idm = {
-    ipv4 = "idm.${tools.meta.domain}";
-    port = 443;
-    protocol = "https";
+  links = {
+    idm = {
+      ipv4 = "idm.${tools.meta.domain}";
+      port = 443;
+      protocol = "https";
+    };
+    ldap = {
+      hostname = "idm-ldap.internal.${tools.meta.domain}";
+      ipv4 = config.vars.mesh.VEGAS.meshIp;
+      port = 636;
+      protocol = "ldaps";
+    };
   };
 
   services.idm = {
diff --git a/cluster/services/idm/server.nix b/cluster/services/idm/server.nix
index b622ccd..7a34f71 100644
--- a/cluster/services/idm/server.nix
+++ b/cluster/services/idm/server.nix
@@ -7,6 +7,8 @@ let
 
   backendLink = config.links.idmBackend;
 
+  ldapLink = cluster.config.links.ldap;
+
   certDir = config.security.acme.certs."internal.${domain}".directory;
 in
 
@@ -28,6 +30,7 @@ in
       tls_key = "${certDir}/key.pem";
       role = "WriteReplicaNoUI";
       bindaddress = backendLink.tuple;
+      ldapbindaddress = "${ldapLink.ipv4}:${ldapLink.portStr}";
       origin = frontendLink.url;
       inherit domain;
     };