diff --git a/lib/tasks/ldap.rake b/lib/tasks/ldap.rake
index 3beb0e9..be7a2ed 100644
--- a/lib/tasks/ldap.rake
+++ b/lib/tasks/ldap.rake
@@ -19,6 +19,18 @@ namespace :ldap do
     }, true
   end
 
+  # TODO
+  desc "Add application account to directory"
+  task add_application_account: :environment do |t, args|
+    # Add uid=service,ou=kosmos.org,cn=applications,dc=kosmos,dc=org with userPassword
+  end
+
+  # TODO
+  desc "Add application ACI/permissions for OU, i.e. read/search users"
+  task add_application_account: :environment do |t, args|
+    # (target="ldap:///cn=*,ou=#{ou},cn=users,#{ldap_suffix}")(targetattr="cn || sn || uid || mail || userPassword || nsRole || objectClass") (version 3.0; acl "service-#{ou.gsub(".", "-")}-read-search"; allow (read,search) userdn="ldap:///uid=service,ou=#{ou},cn=applications,#{ldap_suffix}";)
+  end
+
   desc "Add custom attributes to schema"
   task add_custom_attributes: :environment do |t, args|
     %w[ admin service_enabled nostr_key ].each do |name|
diff --git a/schemas/ldap/aci.ldif b/schemas/ldap/aci.ldif
new file mode 100644
index 0000000..5f5c865
--- /dev/null
+++ b/schemas/ldap/aci.ldif
@@ -0,0 +1,4 @@
+dn: ou=kosmos.org,cn=users,dc=kosmos,dc=org
+changetype: modify
+add: aci
+aci: (target="ldap:///cn=*,ou=kosmos.org,cn=users,dc=kosmos,dc=org")(targetattr="cn || sn || uid || mail || userPassword || serviceEnabled || displayName || jpegPhoto || nsRole || objectClass") (version 3.0; acl "service-kosmos-read-search"; allow (read,search) userdn="ldap:///uid=service,ou=kosmos.org,cn=applications,dc=kosmos,dc=org";)
diff --git a/schemas/ldap/delete-aci.ldif b/schemas/ldap/delete-aci.ldif
new file mode 100644
index 0000000..d939c31
--- /dev/null
+++ b/schemas/ldap/delete-aci.ldif
@@ -0,0 +1,4 @@
+dn: ou=kosmos.org,cn=users,dc=kosmos,dc=org
+changetype: modify
+delete: aci
+aci: (target="ldap:///cn=*,ou=kosmos.org,cn=users,dc=kosmos,dc=org")(targetattr="cn || sn || uid || mail || userPassword || nsRole || objectClass") (version 3.0; acl "service-kosmos-read-search"; allow (read,search) userdn="ldap:///uid=service,ou=kosmos.org,cn=applications,dc=kosmos,dc=org";)