diff --git a/site-cookbooks/kosmos-dirsrv/files/acis.ldif b/site-cookbooks/kosmos-dirsrv/files/acis.ldif
new file mode 100644
index 0000000..f882afc
--- /dev/null
+++ b/site-cookbooks/kosmos-dirsrv/files/acis.ldif
@@ -0,0 +1,5 @@
+dn: dc=kosmos,dc=org
+changetype: modify
+replace: aci
+aci: (target="ldap:///dc=kosmos,dc=org") (version 3.0; acl "user-deny-all"; deny (all) userdn="ldap:///dc=kosmos,dc=org";)
+aci: (target="ldap:///dc=kosmos,dc=org")(targetattr="userPassword") (version 3.0; acl "user-write-own-password"; allow (write) userdn="ldap:///self";)
diff --git a/site-cookbooks/kosmos-dirsrv/files/users.ldif b/site-cookbooks/kosmos-dirsrv/files/users.ldif
index 3ae1306..5055e99 100644
--- a/site-cookbooks/kosmos-dirsrv/files/users.ldif
+++ b/site-cookbooks/kosmos-dirsrv/files/users.ldif
@@ -1,11 +1,3 @@
-# kosmos.org
-dn: dc=kosmos,dc=org
-objectClass: top
-objectClass: domain
-dc: kosmos
-aci: (target="ldap:///dc=kosmos,dc=org") (version 3.0; acl "user-deny-all"; deny (all) userdn="ldap:///dc=kosmos,dc=org";)
-aci: (target="ldap:///dc=kosmos,dc=org")(targetattr="userPassword") (version 3.0; acl "user-write-own-password"; allow (write) userdn="ldap:///self";)
-
 dn: ou=users,dc=kosmos,dc=org
 objectClass: top
 objectClass: organizationalUnit
diff --git a/site-cookbooks/kosmos-dirsrv/resources/instance.rb b/site-cookbooks/kosmos-dirsrv/resources/instance.rb
index de6b6fd..3d66111 100644
--- a/site-cookbooks/kosmos-dirsrv/resources/instance.rb
+++ b/site-cookbooks/kosmos-dirsrv/resources/instance.rb
@@ -50,6 +50,7 @@ action :create do
       subscribes :run, "template[#{setup_config}]", :immediately
       notifies :restart, "service[#{service_name}]", :immediately
       notifies :delete, "template[#{setup_config}]", :immediately
+      notifies :run, "execute[set base acis]", :delayed
       notifies :run, "execute[add users group]", :delayed
       notifies :run, "execute[disable anonymous access]", :delayed
     end
@@ -59,6 +60,18 @@ action :create do
     action [:enable, :start]
   end
 
+  cookbook_file "#{Chef::Config[:file_cache_path]}/acis.ldif" do
+    source "acis.ldif"
+    owner "root"
+    group "root"
+  end
+
+  execute "set base acis" do
+    command "ldapmodify -x -w #{new_resource.admin_password} -D '#{new_resource.bind_dn}' -f '#{Chef::Config[:file_cache_path]}/acis.ldif' -p #{new_resource.port} -h localhost"
+    sensitive true
+    action :nothing
+  end
+
   cookbook_file "#{Chef::Config[:file_cache_path]}/users.ldif" do
     source "users.ldif"
     owner "root"