diff --git a/roles/ldapserver/tasks/main.yml b/roles/ldapserver/tasks/main.yml
index bb56de39d88c74f92aab340e4d2e2887d9468988..be3d545b546e8bcbb2a16344b10ea8a5f499d528 100644
--- a/roles/ldapserver/tasks/main.yml
+++ b/roles/ldapserver/tasks/main.yml
@@ -51,6 +51,9 @@
 - name: template ssl.ldif
   template: src=ssl_ldif.j2 dest=/tmp/ssl.ldif mode=600
 
+- name: template acl_groups.ldif
+  template: src=acl_groups_ldif.j2 dest=/tmp/acl_groups.ldif mode=600
+
 - name: template load_memberof.ldif
   template: src=load_memberof_ldif.j2 dest=/tmp/load_memberof.ldif mode=600
 
@@ -262,6 +265,16 @@
   shell: ldapadd -x -D {{ ldapManager }} -w {{ ldapManagerPassword }} -x -H ldap://localhost -f /tmp/groups.ldif
   when: groupsConfigured|failed
 
+- name: check aclroups config
+  shell: "ldapsearch -D {{ ldapManager }} -w {{ ldapManagerPassword }} -b {{ ldapAclGroupBase }} -x -H ldap://localhost objectClass=*"
+  ignore_errors: true
+  register: aclgroupsConfigured
+
+- name: add aclgroups OU
+  shell: ldapadd -x -D {{ ldapManager }} -w {{ ldapManagerPassword }} -x -H ldap://localhost -f /tmp/acl_groups.ldif
+  when: aclgroupsConfigured|failed
+
+
 - name: check Accounts config
   shell: "ldapsearch -D {{ ldapManager }} -w {{ ldapManagerPassword }} -b {{ ldapUserBase }} -x -H ldap://localhost objectClass=*"
   ignore_errors: true
diff --git a/roles/ldapserver/templates/acl_groups_ldif.j2 b/roles/ldapserver/templates/acl_groups_ldif.j2
new file mode 100644
index 0000000000000000000000000000000000000000..980f11d890556c8d64b0ef65c5c2b844846e9aae
--- /dev/null
+++ b/roles/ldapserver/templates/acl_groups_ldif.j2
@@ -0,0 +1,2 @@
+dn: {{ ldapAclGroupBase }}
+objectClass: organizationalUnit