diff --git a/services/sssd.scm b/services/sssd.scm
index d1b6fe7..7541992 100644
--- a/services/sssd.scm
+++ b/services/sssd.scm
@@ -17,11 +17,13 @@
   sssd-configuration make-sssd-configuration
   sssd-configuration?
   (package sssd-configuration-package (default sssd))
+  (configuration sssd-configuration-configuration (default ""))
   (config-file sssd-configuration-config-file (default "/etc/sssd/sssd.conf")))
 
 (define (sssd-shepherd-service config)
   "Return a <shepherd-service> for SSSD with CONFIG."
-  (let ((sssd (sssd-configuration-package config)))
+  (let ((sssd (sssd-configuration-package config))
+        (config-file (sssd-configuration-config-file config)))
     (list
      (shepherd-service
       (requirement '(dbus-system))
@@ -29,26 +31,36 @@
       (documentation "Start sssd")
       (start #~(make-forkexec-constructor
                 (list (string-append #$sssd "/sbin/sssd")
-                      "-c" #$(sssd-configuration-config-file config)
+                      "--config" #$config-file
                       "--logger=files")
                 #:pid-file "/var/run/sssd.pid"
                 #:log-file "/var/log/sssd/daemon.log"))
       (stop #~(make-kill-destructor))))))
 
-(define sssd-activation
-  ;; Create data directories for sssd.
-  #~(begin
-      (use-modules (guix build utils))
-      (mkdir-p "/var/log/sssd")
-      (for-each (lambda (dir) (mkdir-p (string-append "/var/lib/sss/" dir)))
-                '("db" "gpo_cache" "mc" "pipes/private" "pubconf"))))
+(define (sssd-activation config)
+  (let ((configuration (sssd-configuration-configuration config))
+        (config-file (sssd-configuration-config-file config)))
+    #~(begin
+        (use-modules (guix build utils))
+        ;; Create data directories for sssd.
+        (mkdir-p "/var/log/sssd")
+        (for-each (lambda (dir) (mkdir-p (string-append "/var/lib/sss/" dir)))
+                  '("db" "gpo_cache" "mc" "pipes/private" "pubconf"))
+        ;; Create config file if a configuration is given; otherwise we assume
+        ;; the file is managed externally.
+        (unless (string-null? #$configuration)
+          (mkdir-p (dirname #$config-file))
+          (with-output-to-file #$config-file
+            (lambda _ (display #$configuration))))
+        ;; Must be a regular file readable only by root.
+        (chmod #$config-file #o600))))
 
 (define sssd-service-type
   (service-type
    (name 'sssd)
    (extensions
     (list (service-extension activation-service-type
-                             (const sssd-activation))
+                             sssd-activation)
           (service-extension dbus-root-service-type
                              (compose list sssd-configuration-package))
           (service-extension nscd-service-type