diff --git a/services/sssd.scm b/services/sssd.scm
index 7541992..016fa31 100644
--- a/services/sssd.scm
+++ b/services/sssd.scm
@@ -83,30 +83,34 @@
 ;;;
 
 (define (pam-sss-pam-service config)
-  (let ((module #~(string-append #$(pam-sss-configuration-sssd config)
-                                 "/lib/security/pam_sss.so")))
-    (list
+  "Return a PAM service for SSSD authentication."
+  (list
+   (pam-extension
+    (transformer
      (lambda (pam)
+       (define pam-sss-module
+         #~(string-append #$(pam-sss-configuration-sssd config)
+                          "/lib/security/pam_sss.so"))
        (pam-service
         (inherit pam)
         (auth (cons* (pam-entry
                       (control "sufficient")
-                      (module module))
+                      (module pam-sss-module))
                                         ;(arguments (list "use_first_pass")))
                      (pam-service-auth pam)))
         (account (cons* (pam-entry
                          (control "[default=bad success=ok user_unknown=ignore]")
-                         (module module))
+                         (module pam-sss-module))
                         (pam-service-account pam)))
         (password (cons* (pam-entry
                           (control "sufficient")
-                          (module module))
+                          (module pam-sss-module))
                                         ;(arguments (list "use_authtok")))
                          (pam-service-password pam)))
         (session (cons* (pam-entry
                          (control "optional")
-                         (module module))
-                        (pam-service-session pam))))))))
+                         (module pam-sss-module))
+                        (pam-service-session pam)))))))))
 
 (define pam-sss-service-type
   (service-type