Tutorial: Use ACI/ACL to move fast to a stronger and safer directory

Alban Meunier

SmartWave SA


LDAP directory comes with a set of out of the box security. For any implementation, it’s required to get the control of who can do what and when. This is the purpose of the ACI.

With the lab, you will discover the power of ACI based on a functional approach. The proposed approach is the same for each use case:

  • understand
  • test before ACI
  • implement ACI
  • test after ACI

The lab will use the following command line tools:

  • ldapsearch
  • ldapmodify + LDIF files

Lab is built with ForgeRock OpenDJ


Attendees must have a basic knowledge of LDAP filters

Attendees must bring a laptop with either Windows, OS X, or Linux

JRE or JDK must be installed

OpenDJ2.6.2.zip downloaded but not installed

Internet access is needed to download hand-outs and data set


  • Concept of ACI/ACL
  • Overview of the syntax elements
  • Install the environment (5 minutes)
    • install a fresh OpenDJ for the LAB
    • import data set for the lab
  • What we want to achieve
    • security best practices
    • functional use cases
  • What is implemented out of the box
  • Disable unauthenticated access
  • Administrators
  • Externals
  • Internals
  • Application account
  • Backup agent
  • Ldap browsers
  • No clear text communication
  • Conclusion