diff --git a/config/ldap/init-ldap-acls.sh b/config/ldap/init-ldap-acls.sh
new file mode 100755
index 0000000..8141a20
--- /dev/null
+++ b/config/ldap/init-ldap-acls.sh
@@ -0,0 +1,11 @@
+#!/usr/bin/env bash
+set -eu
+
+# apply acls
+echo -n "Applying acls... "
+slapmodify -F /opt/bitnami/openldap/etc/slapd.d -b cn=config -l /opt/bitnami/openldap/etc/schema/50_acls.ldif
+if [ $? -eq 0 ]; then
+    echo "done."
+else
+    echo "failed."
+fi
diff --git a/config/ldap/ldif/50_acls.ldif b/config/ldap/ldif/50_acls.ldif
new file mode 100644
index 0000000..5698f73
--- /dev/null
+++ b/config/ldap/ldif/50_acls.ldif
@@ -0,0 +1,9 @@
+# OpenCloud ldap acl file which gets applied during the first db initialisation
+dn: olcDatabase={2}mdb,cn=config
+changetype: modify
+replace: olcAccess
+olcAccess: {0}to dn.subtree="dc=opencloud,dc=eu" attrs=entry,uid,objectClass,entryUUID
+  by * read
+olcAccess: {1}to attrs=userPassword
+  by self write
+  by * auth
diff --git a/idm/ldap-keycloak.yml b/idm/ldap-keycloak.yml
index e7a418a..038b049 100644
--- a/idm/ldap-keycloak.yml
+++ b/idm/ldap-keycloak.yml
@@ -54,6 +54,8 @@ services:
     volumes:
       - ./config/ldap/ldif/10_base.ldif:/ldifs/10_base.ldif
       - ./config/ldap/ldif/20_admin.ldif:/ldifs/20_admin.ldif
+      - ./config/ldap/ldif/50_acls.ldif:/opt/bitnami/openldap/etc/schema/50_acls.ldif
+      - ./config/ldap/init-ldap-acls.sh:/docker-entrypoint-initdb.d/init-ldap-acls.sh
       - ./config/ldap/docker-entrypoint-override.sh:/opt/bitnami/scripts/openldap/docker-entrypoint-override.sh
       - ldap-certs:/opt/bitnami/openldap/share
       - ldap-data:/bitnami/openldap