diff --git a/Dockerfile b/Dockerfile
index af2ed4a..bb2eff9 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -8,7 +8,7 @@ RUN if [ -n ${HTTP_PROXY} ] ; then sed -ie s'/https/http/' /etc/apk/repositories
 
 RUN apk add --no-cache bash openldap openldap-back-mdb openldap-clients
 
-ADD samba.ldif wurley.ldif /etc/openldap/schema/
+ADD acl.ldif samba.ldif wurley.ldif /etc/openldap/schema/
 RUN sed -ie 's/dc=my-domain,dc=com/c=AU/' /etc/openldap/slapd.ldif \
 	&& sed -ie 's/openldap-data/data/' /etc/openldap/slapd.ldif \
 	&& mv /var/lib/openldap/openldap-data /var/lib/openldap/data \
@@ -17,6 +17,7 @@ RUN sed -ie 's/dc=my-domain,dc=com/c=AU/' /etc/openldap/slapd.ldif \
 	&& slapadd -b cn=config -l /etc/openldap/schema/misc.ldif \
 	&& slapadd -b cn=config -l /etc/openldap/schema/samba.ldif \
 	&& slapadd -b cn=config -l /etc/openldap/schema/wurley.ldif \
+	&& slapmodify -b cn=config -l /etc/openldap/schema/acl.ldif \
 	&& chown -R ldap:ldap /etc/openldap/slapd.d /var/lib/openldap/data
 
 # Starting
diff --git a/acl.ldif b/acl.ldif
new file mode 100644
index 0000000..ff8a802
--- /dev/null
+++ b/acl.ldif
@@ -0,0 +1,113 @@
+dn: olcDatabase={1}mdb,cn=config
+changetype: modify
+replace: olcAccess
+olcAccess: to attrs=userPassword
+  by self write
+  by anonymous auth
+  by group/groupOfNames/member.exact="cn=admin,ou=groups,c=au" write
+olcAccess: to dn.base="c=au"
+  by group/groupOfNames/member.exact="cn=admin,ou=groups,c=au" write
+  by * read
+olcAccess: to dn.regex="o=(.*),c=(.*)$" attrs=wsAccountContact
+  by dnattr=wsAccountOwner read
+  by self write
+  by anonymous auth
+  by dnattr=wsAccountOwner read
+  by * read
+olcAccess: to dn.regex="^o=(.*),c=(.*)$"
+  by group/groupOfNames/member.exact="cn=admin,ou=groups,c=au" write
+  by group/groupOfNames/member.exact="cn=admin internal,ou=groups,c=au" read
+  by group/groupOfNames/member.expand="cn=People,ou=Admin,o=$1,c=$2" read
+  by dn.regex="cn=.*,ou=People,o=$1,c=$2" read
+  by dn.regex="cn=.*,ou=Robots,c=AU" read
+  by * read
+olcAccess: to dn.regex="ou=(People|Customers),o=(.*),c=(.*)$" attrs=mail,uid
+  by self write
+  by group/groupOfNames/member.exact="cn=admin,ou=groups,c=au" write
+  by group/groupOfNames/member.exact="cn=admin internal,ou=groups,c=au" write
+  by group/groupOfNames/member.expand="cn=People,ou=Admin,o=$1,c=$2" write
+  by dn.regex="cn=.*,ou=Robots,c=AU" read
+  by * search
+olcAccess: to dn.regex="ou=(People|Customers),o=(.*),c=(.*)$" attrs=shadowLastChange
+  by self write
+  by group/groupOfNames/member.exact="cn=admin,ou=groups,c=au" write
+  by group/groupOfNames/member.exact="cn=admin internal,ou=groups,c=au" write
+  by group/groupOfNames/member.expand="cn=People,ou=Admin,o=$1,c=$2" write
+  by dn.regex="cn=.*,ou=Robots,c=AU" read
+olcAccess: to dn.regex="ou=(People|Customers|Applications),o=(.*),c=(. *)$" attrs=mail,uid,mailRoutingAddress,mailHost,entry
+  by self write
+  by group/groupOfNames/member.exact="cn=admin,ou=groups,c=au" write
+  by group/groupOfNames/member.exact="cn=admin internal,ou=groups,c=au" write
+  by group/groupOfNames/member.expand="cn=People,ou=Admin,o=$1,c=$2" write
+  by * read
+olcAccess: to dn.regex="ou=People,o=(.*),c=(.*)$"
+  by self write
+  by group/groupOfNames/member.exact="cn=admin,ou=groups,c=au" write
+  by group/groupOfNames/member.exact="cn=admin internal,ou=groups,c=au" write
+  by group/groupOfNames/member.expand="cn=People,ou=Admin,o=$1,c=$2" write
+  by dn.regex="cn=.*,ou=People,o=$1,c=$2" read
+  by dn.regex="cn=.*,ou=Robots,c=AU" read
+  by * read
+olcAccess: to dn.regex="ou=(Customers|Groups),o=(.*),c=(.*)$"
+  by self write
+  by group/groupOfNames/member.exact="cn=admin,ou=groups,c=au" write
+  by group/groupOfNames/member.exact="cn=admin internal,ou=groups,c=au" write
+  by group/groupOfNames/member.expand="cn=People,ou=Admin,o=$1,c=$2" write
+  by dn.regex="cn=.*,ou=Robots,c=AU" read
+olcAccess: to dn.regex="ou=Applications,o=(.*),c=(.*)$"
+  by group/groupOfNames/member.exact="cn=admin,ou=groups,c=au" write
+  by group/groupOfNames/member.exact="cn=admin internal,ou=groups,c=au" write
+  by group/groupOfNames/member.expand="cn=People,ou=Admin,o=$1,c=$2" read
+  by dnattr=uniqueMember read
+  by dn.regex="cn=.*,ou=Robots,c=AU" read
+olcAccess: to dn.regex="ou=DNS,o=(.*),c=(.*)$"
+  by group/groupOfNames/member.exact="cn=admin,ou=groups,c=au" write
+  by group/groupOfNames/member.exact="cn=admin internal,ou=groups,c=au" write
+  by group/groupOfNames/member.expand="cn=Management,ou=Admin,o=$1,c=$2" read
+  by dn.regex="cn=.*,ou=Robots,c=AU" read
+olcAccess: to dn.regex="ou=DSL,o=(.*),c=(.*)$"
+  by group/groupOfNames/member.exact="cn=admin,ou=groups,c=au" write
+  by group/groupOfNames/member.exact="cn=admin internal,ou=groups,c=au" write
+  by group/groupOfNames/member.expand="cn=Management,ou=Admin,o=$1,c=$2" read
+  by dnattr=wsAccountOwner read
+  by dn.regex="cn=.*,ou=Robots,c=AU" read
+olcAccess: to dn.regex="ou=Hosts,o=(.*),c=(.*)$"
+  by group/groupOfNames/member.exact="cn=admin,ou=groups,c=au" write
+  by group/groupOfNames/member.exact="cn=admin internal,ou=groups,c=au" write
+  by group/groupOfNames/member.expand="cn=People,ou=Admin,o=$1,c=$2" read
+  by dn.regex="cn=.*,ou=Robots,c=AU" read
+olcAccess: to dn.regex="ou=Network,o=(.*),c=(.*)$"
+  by group/groupOfNames/member.exact="cn=admin,ou=groups,c=au" write
+  by group/groupOfNames/member.exact="cn=admin internal,ou=groups,c=au" write
+  by group/groupOfNames/member.expand="cn=Management,ou=Admin,o=$1,c=$2" read
+  by dn.regex="cn=.*,ou=Robots,c=AU" read
+olcAccess: to dn.regex="ou=(.*),o=(.*),c=(.*)$" attrs=uniqueMember,member
+  by self write
+  by group/groupOfNames/member.exact="cn=admin,ou=groups,c=au" write
+  by group/groupOfNames/member.exact="cn=admin internal,ou=groups,c=au" write
+  by group/groupOfNames/member.expand="cn=People,ou=Admin,o=$2,c=$3" write
+  by dnattr=uniqueMember read
+  by dn.regex="cn=.*,ou=Robots,c=AU" read
+olcAccess: to dn.regex="ou=(.*),o=(.*),c=(.*)$"
+  by self write
+  by group/groupOfNames/member.exact="cn=admin,ou=groups,c=au" write
+  by dn.regex="cn=.*,ou=Robots,c=AU" read
+  by dnattr=wsAccountOwner read
+olcAccess: to *
+  by group/groupOfNames/member.exact="cn=admin,ou=groups,c=au" write
+  by * search
+-
+replace: olcAddContentAcl
+olcAddContentAcl: FALSE
+-
+replace: olcLastMod
+olcLastMod: TRUE
+-
+replace: olcMaxDerefDepth
+olcMaxDerefDepth: 0
+-
+replace: olcReadOnly
+olcReadOnly: FALSE
+-
+replace: olcMonitoring
+olcMonitoring: FALSE