diff --git a/modules/blocks/ldap.nix b/modules/blocks/ldap.nix
index 25c40e9..48f9ca8 100644
--- a/modules/blocks/ldap.nix
+++ b/modules/blocks/ldap.nix
@@ -112,9 +112,12 @@ in
       '';
       readOnly = true;
       default = {
-        user = "lldap";
+        # TODO: is there a workaround that avoid needing to use root?
+        # root because otherwise we cannot access the private StateDiretory
+        user = "root";
+        # /private because the systemd service uses DynamicUser=true
         sourceDirectories = [
-          "/var/lib/lldap"
+          "/var/lib/private/lldap"
         ];
       };
     };