diff --git a/system/etc.nix b/system/etc.nix
index 17ace6e1f99..a850a19398b 100644
--- a/system/etc.nix
+++ b/system/etc.nix
@@ -75,7 +75,7 @@ import ../helpers/make-etc.nix {
     (program:
       { source = pkgs.substituteAll {
           src = ./etc/pam.d + ("/" + program);
-          inherit (pkgs) pam_unix2;
+          inherit (pkgs) pam_unix2 pam_ldap;
         };
         target = "pam.d/" + program;
       }
@@ -88,6 +88,10 @@ import ../helpers/make-etc.nix {
       "shadow"
       "sshd"
       "useradd"
+      "common-auth"
+      "common-account"
+      "common-password"
+      "common-session"
     ]
   );
 }
\ No newline at end of file
diff --git a/system/etc/pam.d/common-account b/system/etc/pam.d/common-account
new file mode 100644
index 00000000000..50d0a58134f
--- /dev/null
+++ b/system/etc/pam.d/common-account
@@ -0,0 +1,2 @@
+account  optional       @pam_ldap@/lib/security/pam_ldap.so 
+account  required       @pam_unix2@/lib/security/pam_unix2.so
diff --git a/system/etc/pam.d/common-auth b/system/etc/pam.d/common-auth
new file mode 100644
index 00000000000..ec5d5d889a5
--- /dev/null
+++ b/system/etc/pam.d/common-auth
@@ -0,0 +1,3 @@
+auth     sufficient     @pam_ldap@/lib/security/pam_ldap.so 
+auth     sufficient     @pam_unix2@/lib/security/pam_unix2.so
+auth     required       pam_deny.so
diff --git a/system/etc/pam.d/common-password b/system/etc/pam.d/common-password
new file mode 100644
index 00000000000..f0ec89f1291
--- /dev/null
+++ b/system/etc/pam.d/common-password
@@ -0,0 +1,2 @@
+password sufficient     @pam_ldap@/lib/security/pam_ldap.so 
+password sufficient     @pam_unix2@/lib/security/pam_unix2.so nullok
diff --git a/system/etc/pam.d/common-session b/system/etc/pam.d/common-session
new file mode 100644
index 00000000000..434fe930f77
--- /dev/null
+++ b/system/etc/pam.d/common-session
@@ -0,0 +1,2 @@
+auth     optional       @pam_ldap@/lib/security/pam_ldap.so 
+session  required       @pam_unix2@/lib/security/pam_unix2.so
diff --git a/system/etc/pam.d/login b/system/etc/pam.d/login
index 83c1bcd2f34..c3fad16bbef 100644
--- a/system/etc/pam.d/login
+++ b/system/etc/pam.d/login
@@ -1,4 +1,4 @@
-auth     required       @pam_unix2@/lib/security/pam_unix2.so nullok
-account  required       @pam_unix2@/lib/security/pam_unix2.so
-password required       @pam_unix2@/lib/security/pam_unix2.so nullok
-session  required       @pam_unix2@/lib/security/pam_unix2.so
+auth     include        common-auth
+account  include        common-account
+password include        common-password
+session  include        common-session
diff --git a/system/etc/pam.d/passwd b/system/etc/pam.d/passwd
index d3463aab5ae..c3fad16bbef 100644
--- a/system/etc/pam.d/passwd
+++ b/system/etc/pam.d/passwd
@@ -1,4 +1,4 @@
-auth     required       @pam_unix2@/lib/security/pam_unix2.so
-account  required       @pam_unix2@/lib/security/pam_unix2.so
-password required       @pam_unix2@/lib/security/pam_unix2.so nullok
-session  required       @pam_unix2@/lib/security/pam_unix2.so
+auth     include        common-auth
+account  include        common-account
+password include        common-password
+session  include        common-session
diff --git a/system/etc/pam.d/sshd b/system/etc/pam.d/sshd
index d3463aab5ae..c3fad16bbef 100644
--- a/system/etc/pam.d/sshd
+++ b/system/etc/pam.d/sshd
@@ -1,4 +1,4 @@
-auth     required       @pam_unix2@/lib/security/pam_unix2.so
-account  required       @pam_unix2@/lib/security/pam_unix2.so
-password required       @pam_unix2@/lib/security/pam_unix2.so nullok
-session  required       @pam_unix2@/lib/security/pam_unix2.so
+auth     include        common-auth
+account  include        common-account
+password include        common-password
+session  include        common-session
diff --git a/system/etc/pam.d/su b/system/etc/pam.d/su
index 3807b8a3d27..5fbdc16359a 100644
--- a/system/etc/pam.d/su
+++ b/system/etc/pam.d/su
@@ -1,5 +1,5 @@
 auth     sufficient     pam_rootok.so
-auth     required       @pam_unix2@/lib/security/pam_unix2.so nullok
-account  required       @pam_unix2@/lib/security/pam_unix2.so
-password required       @pam_unix2@/lib/security/pam_unix2.so nullok
-session  required       @pam_unix2@/lib/security/pam_unix2.so
+auth     include        common-auth
+account  include        common-account
+password include        common-password
+session  include        common-session
diff --git a/system/etc/profile.sh b/system/etc/profile.sh
index 039fe34a794..18f81f58c78 100644
--- a/system/etc/profile.sh
+++ b/system/etc/profile.sh
@@ -17,8 +17,8 @@ fi
 # Set up the per-user profile.
 NIX_USER_PROFILE_DIR=/nix/var/nix/profiles/per-user/$USER
 mkdir -m 0755 -p $NIX_USER_PROFILE_DIR
-if test "$(stat --printf '%U' $NIX_USER_PROFILE_DIR)" != "$USER"; then
-    echo "WARNING: bad ownership on $_NIX_PROFILE_DIR" >&2
+if test "$(stat --printf '%u' $NIX_USER_PROFILE_DIR)" != "$(id -u)"; then
+    echo "WARNING: bad ownership on $NIX_USER_PROFILE_DIR" >&2
 fi
 
 if ! test -L $HOME/.nix-profile; then