diff --git a/databases/lldap.nomad b/databases/lldap.nomad
index 876066c..ad63f42 100644
--- a/databases/lldap.nomad
+++ b/databases/lldap.nomad
@@ -215,7 +215,7 @@ delay = yes
 accept = {{ env "NOMAD_PORT_tls" }}
 connect = 127.0.0.1:{{ env "NOMAD_PORT_ldap" }}
 ciphers = PSK
-PSKsecrets = {{ env "NOMAD_TASK_DIR" }}/stunnel_psk.txt
+PSKsecrets = {{ env "NOMAD_SECRETS_DIR" }}/stunnel_psk.txt
 
 [mysql_client]
 client = yes
@@ -234,7 +234,7 @@ PSKsecrets = {{ env "NOMAD_SECRETS_DIR" }}/mysql_stunnel_psk.txt
 {{ with nomadVar .Path }}{{ .psk }}{{ end }}
 {{ end -}}
 EOF
-        destination = "$${NOMAD_TASK_DIR}/stunnel_psk.txt"
+        destination = "$${NOMAD_SECRETS_DIR}/stunnel_psk.txt"
       }
 
       template {
diff --git a/databases/lldap.tf b/databases/lldap.tf
index 4381de8..f4a18c6 100644
--- a/databases/lldap.tf
+++ b/databases/lldap.tf
@@ -16,6 +16,9 @@ resource "nomad_acl_policy" "lldap_ldap_secrets" {
   rules_hcl   = <<EOH
 namespace "default" {
   variables {
+    path "secrets/ldap/*" {
+      capabilities = ["read"]
+    }
     path "secrets/ldap" {
       capabilities = ["read"]
     }
@@ -25,8 +28,6 @@ EOH
 
   job_acl {
     job_id = resource.nomad_job.lldap.id
-    group  = "lldap"
-    task   = "lldap"
   }
 }