diff --git a/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml b/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml
index c0f36fcfd356..c4f7d64d97bc 100644
--- a/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml
+++ b/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml
@@ -672,6 +672,18 @@
           the IPv6 loopback address (<literal>::1</literal>).
         </para>
       </listitem>
+      <listitem>
+        <para>
+          <literal>openldap</literal> (and therefore the slapd LDAP
+          server) were updated to version 2.6.2. The project introduced
+          backwards-incompatible changes, namely the removal of the bdb,
+          hdb, ndb, and shell backends in slapd. Therefore before
+          updating, dump your database <literal>slapcat -n 1</literal>
+          in LDIF format, and reimport it after updating your
+          <literal>services.openldap.settings</literal>, which
+          represents your <literal>cn=config</literal>.
+        </para>
+      </listitem>
       <listitem>
         <para>
           <literal>openssh</literal> has been update to 8.9p1, changing
diff --git a/nixos/doc/manual/release-notes/rl-2205.section.md b/nixos/doc/manual/release-notes/rl-2205.section.md
index 5902957a5352..f07439d34a1a 100644
--- a/nixos/doc/manual/release-notes/rl-2205.section.md
+++ b/nixos/doc/manual/release-notes/rl-2205.section.md
@@ -238,6 +238,8 @@ In addition to numerous new and upgraded packages, this release has the followin
 
 - In the ncdns module, the default value of `services.ncdns.address` has been changed to the IPv6 loopback address (`::1`).
 
+- `openldap` (and therefore the slapd LDAP server) were updated to version 2.6.2. The project introduced backwards-incompatible changes, namely the removal of the bdb, hdb, ndb, and shell backends in slapd. Therefore before updating, dump your database `slapcat -n 1` in LDIF format, and reimport it after updating your `services.openldap.settings`, which represents your `cn=config`.
+
 - `openssh` has been update to 8.9p1, changing the FIDO security key middleware interface.
 
 - `git` no longer hardcodes the path to openssh' ssh binary to reduce the amount of rebuilds. If you are using git with ssh remotes and do not have a ssh binary in your enviroment consider adding `openssh` to it or switching to `gitFull`.
diff --git a/pkgs/development/libraries/openldap/default.nix b/pkgs/development/libraries/openldap/default.nix
index 4ecfc569ae16..44afffc72045 100644
--- a/pkgs/development/libraries/openldap/default.nix
+++ b/pkgs/development/libraries/openldap/default.nix
@@ -1,33 +1,48 @@
-{ lib, stdenv, fetchurl, openssl, db, groff, libtool, libsodium
-, withCyrusSasl ? true
+{ lib
+, stdenv
+, fetchurl
+
+# dependencies
 , cyrus_sasl
+, db
+, groff
+, libsodium
+, libtool
+, openssl
+, systemdMinimal
 }:
 
 stdenv.mkDerivation rec {
   pname = "openldap";
-  version = "2.4.58";
+  version = "2.6.2";
 
   src = fetchurl {
     url = "https://www.openldap.org/software/download/OpenLDAP/openldap-release/${pname}-${version}.tgz";
-    sha256 = "sha256-V7WSVL4V0L9qmrPVFMHAV3ewISMpFTMTSofJRGj49Hs=";
+    hash = "sha256-gdCTRSMutiSG7PWsrNLFbAxFtKbIwGZhLn9CGiOhz4c";
   };
 
   # TODO: separate "out" and "bin"
-  outputs = [ "out" "dev" "man" "devdoc" ];
+  outputs = [
+    "out"
+    "dev"
+    "man"
+    "devdoc"
+  ];
 
   enableParallelBuilding = true;
 
-  nativeBuildInputs = [ groff ];
+  nativeBuildInputs = [
+    groff
+  ];
 
-  buildInputs = [ openssl cyrus_sasl db libsodium libtool ];
-
-  # Disable install stripping as it breaks cross-compiling.
-  # We strip binaries anyway in fixupPhase.
-  makeFlags= [
-    "STRIP="
-    "prefix=$(out)"
-    "moduledir=$(out)/lib/modules"
-    "CC=${stdenv.cc.targetPrefix}cc"
+  buildInputs = [
+    cyrus_sasl
+    db
+    libsodium
+    libtool
+    openssl
+  ] ++ lib.optionals (stdenv.isLinux) [
+    systemdMinimal
   ];
 
   preConfigure = lib.optionalString (lib.versionAtLeast stdenv.hostPlatform.darwinMinVersion "11") ''
@@ -35,56 +50,61 @@ stdenv.mkDerivation rec {
   '';
 
   configureFlags = [
-    "--enable-overlays"
-    "--disable-dependency-tracking"   # speeds up one-time build
-    "--enable-modules"
-    "--sysconfdir=/etc"
-    "--localstatedir=/var"
+    "--enable-argon2"
     "--enable-crypt"
+    "--enable-modules"
+    "--enable-overlays"
   ] ++ lib.optionals (stdenv.hostPlatform != stdenv.buildPlatform) [
     "--with-yielding_select=yes"
     "ac_cv_func_memcmp_working=yes"
-  ] ++ lib.optional (!withCyrusSasl) "--without-cyrus-sasl"
-    ++ lib.optional stdenv.isFreeBSD "--with-pic";
+  ] ++ lib.optional stdenv.isFreeBSD "--with-pic";
 
-  postBuild = ''
-    make $makeFlags CC=$CC -C contrib/slapd-modules/passwd/sha2
-    make $makeFlags CC=$CC -C contrib/slapd-modules/passwd/pbkdf2
-    make $makeFlags CC=$CC -C contrib/slapd-modules/passwd/argon2
-  '';
-
-  doCheck = false; # needs a running LDAP server
-
-  installFlags = [
-    "sysconfdir=$(out)/etc"
-    "localstatedir=$(out)/var"
-    "moduledir=$(out)/lib/modules"
-    # The argon2 module hardcodes /usr/bin/install as the path for the
-    # `install` binary, which is overridden here.
-    "INSTALL=install"
+  makeFlags= [
+    "CC=${stdenv.cc.targetPrefix}cc"
+    "STRIP="  # Disable install stripping as it breaks cross-compiling. We strip binaries anyway in fixupPhase.
+    "prefix=${placeholder "out"}"
+    "sysconfdir=${placeholder "out"}/etc"
+    "systemdsystemunitdir=${placeholder "out"}/lib/systemd/system"
+    # contrib modules require these
+    "moduledir=${placeholder "out"}/lib/modules"
+    "mandir=${placeholder "out"}/share/man"
   ];
 
-  # 1. Libraries left in the build location confuse `patchelf --shrink-rpath`
-  #    Delete these to let patchelf discover the right path instead.
-  #    FIXME: that one can be removed when https://github.com/NixOS/patchelf/pull/98
-  #    is in Nixpkgs patchelf.
-  # 2. Fixup broken libtool for openssl and cyrus_sasl (if it is not disabled)
-  preFixup = ''
-    rm -r $out/var
-    rm -r libraries/*/.libs
-    rm -r contrib/slapd-modules/passwd/*/.libs
-    for f in $out/lib/libldap.la $out/lib/libldap_r.la; do
-      substituteInPlace "$f" --replace '-lssl' '-L${lib.getLib openssl}/lib -lssl'
-  '' + lib.optionalString withCyrusSasl ''
-      substituteInPlace "$f" --replace '-lsasl2' '-L${cyrus_sasl.out}/lib -lsasl2'
-  '' + ''
+  extraContribModules = [
+    # https://git.openldap.org/openldap/openldap/-/tree/master/contrib/slapd-modules
+    "passwd/sha2"
+    "passwd/pbkdf2"
+    "passwd/totp"
+  ];
+
+  postBuild = ''
+    for module in ${lib.concatStringsSep " " extraContribModules}; do
+      make $makeFlags CC=$CC -C contrib/slapd-modules/$module
     done
   '';
 
+  preCheck = ''
+    substituteInPlace tests/scripts/all \
+      --replace "/bin/rm" "rm"
+  '';
+
+  doCheck = true;
+
+  # The directory is empty and serve no purpose.
+  preFixup = ''
+    rm -r $out/var
+  '';
+
+  installFlags = [
+    "prefix=${placeholder "out"}"
+    "moduledir=${placeholder "out"}/lib/modules"
+    "INSTALL=install"
+  ];
+
   postInstall = ''
-    make $installFlags install -C contrib/slapd-modules/passwd/sha2
-    make $installFlags install -C contrib/slapd-modules/passwd/pbkdf2
-    make $installFlags install-lib -C contrib/slapd-modules/passwd/argon2
+    for module in ${lib.concatStringsSep " " extraContribModules}; do
+      make $installFlags install -C contrib/slapd-modules/$module
+    done
     chmod +x "$out"/lib/*.{so,dylib}
   '';