diff --git a/activemq-unit-tests/src/test/java/org/apache/activemq/security/CachedLDAPAuthorizationModuleOUTest.java b/activemq-unit-tests/src/test/java/org/apache/activemq/security/CachedLDAPAuthorizationModuleOUTest.java
new file mode 100644
index 000000000..dabe01fa9
--- /dev/null
+++ b/activemq-unit-tests/src/test/java/org/apache/activemq/security/CachedLDAPAuthorizationModuleOUTest.java
@@ -0,0 +1,157 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.activemq.security;
+
+import org.apache.activemq.command.ActiveMQQueue;
+import org.apache.directory.ldap.client.api.LdapConnection;
+import org.apache.directory.ldap.client.api.LdapNetworkConnection;
+import org.apache.directory.server.annotations.CreateLdapServer;
+import org.apache.directory.server.annotations.CreateTransport;
+import org.apache.directory.server.core.annotations.ApplyLdifFiles;
+import org.apache.directory.server.core.integ.FrameworkRunner;
+import org.apache.directory.shared.ldap.model.message.ModifyRequest;
+import org.apache.directory.shared.ldap.model.message.ModifyRequestImpl;
+import org.apache.directory.shared.ldap.model.message.ModifyResponse;
+import org.apache.directory.shared.ldap.model.name.Dn;
+import org.apache.directory.shared.ldap.model.name.Rdn;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+import java.io.InputStream;
+import java.util.Set;
+
+import static org.junit.Assert.assertEquals;
+
+
+@RunWith( FrameworkRunner.class )
+@CreateLdapServer(transports = {@CreateTransport(protocol = "LDAP")})
+@ApplyLdifFiles(
+        "org/apache/activemq/security/activemq-apacheds-ou.ldif"
+)
+public class CachedLDAPAuthorizationModuleOUTest extends AbstractCachedLDAPAuthorizationModuleTest {
+
+    @Override
+    protected SimpleCachedLDAPAuthorizationMap createMap() {
+        SimpleCachedLDAPAuthorizationMap map = super.createMap();
+        map.setConnectionURL("ldap://localhost:" + getLdapServer().getPort());
+        map.setAdminPermissionGroupSearchFilter("(ou=Admin)");
+        map.setReadPermissionGroupSearchFilter("(ou=Read)");
+        map.setWritePermissionGroupSearchFilter("(ou=Write)");
+
+        return map;
+    }
+    
+    @Override
+    protected InputStream getAddLdif() {
+        return getClass().getClassLoader().getResourceAsStream("org/apache/activemq/security/activemq-apacheds-add-ou.ldif");
+    }
+
+    @Override
+    protected InputStream getRemoveLdif() {
+        return getClass().getClassLoader().getResourceAsStream("org/apache/activemq/security/activemq-apacheds-delete-ou.ldif");
+    }
+
+    @Override
+    protected String getMemberAttributeValueForModifyRequest() {
+        return "cn=users,ou=Group,ou=ActiveMQ,ou=system";
+    }
+
+    protected String getQueueBaseDn() {
+        return "ou=Queue,ou=Destination,ou=ActiveMQ,ou=system";
+    }
+
+    @Override
+    protected LdapConnection getLdapConnection() throws Exception {
+        LdapConnection connection = new LdapNetworkConnection("localhost", getLdapServer().getPort());
+        connection.bind(new Dn("uid=admin,ou=system"), "secret");
+        return connection;
+    }
+
+    @Override
+    @Test
+    public void testChange() throws Exception {
+        map.query();
+
+        // Change permission entry
+        Set<?> failedACLs = map.getReadACLs(new ActiveMQQueue("TEST.FOO"));
+        assertEquals("set size: " + failedACLs, 2, failedACLs.size());
+
+        Dn dn = new Dn("ou=read,cn=TEST.FOO," + getQueueBaseDn());
+
+        ModifyRequest request = new ModifyRequestImpl();
+        request.setName(dn);
+        setupModifyRequest(request);
+
+        connection.modify(request);
+
+        Thread.sleep(2000);
+
+        failedACLs = map.getReadACLs(new ActiveMQQueue("TEST.FOO"));
+        assertEquals("set size: " + failedACLs, 1, failedACLs.size());
+
+        // Change destination entry
+        request = new ModifyRequestImpl();
+        request.setName(new Dn("cn=TEST.FOO," + getQueueBaseDn()));
+        request.add("description", "This is a description!  In fact, it is a very good description.");
+
+        connection.modify(request);
+
+        Thread.sleep(2000);
+
+        failedACLs = map.getReadACLs(new ActiveMQQueue("TEST.FOO"));
+        assertEquals("set size: " + failedACLs, 1, failedACLs.size());
+    }
+
+    @Override
+    @Test
+    public void testRenamePermission() throws Exception {
+        map.query();
+
+        Set<?> failedACLs = map.getReadACLs(new ActiveMQQueue("TEST.FOO"));
+        assertEquals("set size: " + failedACLs, 2, failedACLs.size());
+
+        // Test for a permission rename
+        connection.delete(new Dn("ou=Read,cn=TEST.FOO," + getQueueBaseDn()));
+
+        Thread.sleep(2000);
+
+        failedACLs = map.getReadACLs(new ActiveMQQueue("TEST.FOO"));
+        assertEquals("set size: " + failedACLs, 0, failedACLs.size());
+
+        failedACLs = map.getWriteACLs(new ActiveMQQueue("TEST.FOO"));
+        assertEquals("set size: " + failedACLs, 2, failedACLs.size());
+
+        connection.rename(new Dn("ou=Write,cn=TEST.FOO," + getQueueBaseDn()),
+                new Rdn("ou=Read"));
+
+        Dn readPerm = new Dn("ou=Read,cn=TEST.FOO," + getQueueBaseDn());
+        ModifyRequest request = new ModifyRequestImpl();
+        request.setName(readPerm);
+        request.replace("cn", "read");
+        ModifyResponse modifyResponse = connection.modify(request);
+
+        Thread.sleep(2000);
+
+        failedACLs = map.getReadACLs(new ActiveMQQueue("TEST.FOO"));
+        assertEquals("set size: " + failedACLs + ", mod resp: " + modifyResponse, 2, failedACLs.size());
+
+        failedACLs = map.getWriteACLs(new ActiveMQQueue("TEST.FOO"));
+        assertEquals("set size: " + failedACLs, 0, failedACLs.size());
+    }
+
+}
+
diff --git a/activemq-unit-tests/src/test/resources/org/apache/activemq/security/activemq-apacheds-add-ou.ldif b/activemq-unit-tests/src/test/resources/org/apache/activemq/security/activemq-apacheds-add-ou.ldif
new file mode 100644
index 000000000..5944ae273
--- /dev/null
+++ b/activemq-unit-tests/src/test/resources/org/apache/activemq/security/activemq-apacheds-add-ou.ldif
@@ -0,0 +1,47 @@
+## ---------------------------------------------------------------------------
+## Licensed to the Apache Software Foundation (ASF) under one or more
+## contributor license agreements.  See the NOTICE file distributed with
+## this work for additional information regarding copyright ownership.
+## The ASF licenses this file to You under the Apache License, Version 2.0
+## (the "License"); you may not use this file except in compliance with
+## the License.  You may obtain a copy of the License at
+##
+## http://www.apache.org/licenses/LICENSE-2.0
+##
+## Unless required by applicable law or agreed to in writing, software
+## distributed under the License is distributed on an "AS IS" BASIS,
+## WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+## See the License for the specific language governing permissions and
+## limitations under the License.
+## ---------------------------------------------------------------------------
+
+
+## FAILED
+
+dn: cn=FAILED,ou=Queue,ou=Destination,ou=ActiveMQ,ou=system
+cn: FAILED
+description: New queue
+objectClass: applicationProcess
+objectClass: top
+
+dn: ou=admin,cn=FAILED,ou=Queue,ou=Destination,ou=ActiveMQ,ou=system
+cn: admin
+description: Admin privilege group, members are roles
+member: cn=users,ou=Group,ou=ActiveMQ,ou=system
+member: cn=admins,ou=Group,ou=ActiveMQ,ou=system
+objectClass: groupOfNames
+objectClass: top
+
+dn: ou=read,cn=FAILED,ou=Queue,ou=Destination,ou=ActiveMQ,ou=system
+cn: read
+member: cn=users,ou=Group,ou=ActiveMQ,ou=system
+member: cn=admins,ou=Group,ou=ActiveMQ,ou=system
+objectClass: groupOfNames
+objectClass: top
+
+dn: ou=write,cn=FAILED,ou=Queue,ou=Destination,ou=ActiveMQ,ou=system
+cn: write
+objectClass: groupOfNames
+objectClass: top
+member: cn=users,ou=Group,ou=ActiveMQ,ou=system
+member: cn=admins,ou=Group,ou=ActiveMQ,ou=system
diff --git a/activemq-unit-tests/src/test/resources/org/apache/activemq/security/activemq-apacheds-delete-ou.ldif b/activemq-unit-tests/src/test/resources/org/apache/activemq/security/activemq-apacheds-delete-ou.ldif
new file mode 100644
index 000000000..f3c35b91f
--- /dev/null
+++ b/activemq-unit-tests/src/test/resources/org/apache/activemq/security/activemq-apacheds-delete-ou.ldif
@@ -0,0 +1,40 @@
+## ---------------------------------------------------------------------------
+## Licensed to the Apache Software Foundation (ASF) under one or more
+## contributor license agreements.  See the NOTICE file distributed with
+## this work for additional information regarding copyright ownership.
+## The ASF licenses this file to You under the Apache License, Version 2.0
+## (the "License"); you may not use this file except in compliance with
+## the License.  You may obtain a copy of the License at
+##
+## http://www.apache.org/licenses/LICENSE-2.0
+##
+## Unless required by applicable law or agreed to in writing, software
+## distributed under the License is distributed on an "AS IS" BASIS,
+## WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+## See the License for the specific language governing permissions and
+## limitations under the License.
+## ---------------------------------------------------------------------------
+
+dn: ou=admin,cn=TEST.FOO,ou=Queue,ou=Destination,ou=ActiveMQ,ou=system
+changetype: delete
+ 
+
+dn: ou=read,cn=TEST.FOO,ou=Queue,ou=Destination,ou=ActiveMQ,ou=system
+changetype: delete
+
+dn: ou=write,cn=TEST.FOO,ou=Queue,ou=Destination,ou=ActiveMQ,ou=system
+changetype: delete
+
+dn: cn=TEST.FOO,ou=Queue,ou=Destination,ou=ActiveMQ,ou=system
+changetype: delete
+
+dn: ou=read,ou=Temp,ou=Destination,ou=ActiveMQ,ou=system
+changetype: delete
+
+dn: ou=write,ou=Temp,ou=Destination,ou=ActiveMQ,ou=system
+changetype: delete
+
+dn: ou=admin,ou=Temp,ou=Destination,ou=ActiveMQ,ou=system
+changetype: delete
+
+
diff --git a/activemq-unit-tests/src/test/resources/org/apache/activemq/security/activemq-apacheds-ou.ldif b/activemq-unit-tests/src/test/resources/org/apache/activemq/security/activemq-apacheds-ou.ldif
new file mode 100644
index 000000000..09285ea77
--- /dev/null
+++ b/activemq-unit-tests/src/test/resources/org/apache/activemq/security/activemq-apacheds-ou.ldif
@@ -0,0 +1,294 @@
+## ---------------------------------------------------------------------------
+## Licensed to the Apache Software Foundation (ASF) under one or more
+## contributor license agreements.  See the NOTICE file distributed with
+## this work for additional information regarding copyright ownership.
+## The ASF licenses this file to You under the Apache License, Version 2.0
+## (the "License"); you may not use this file except in compliance with
+## the License.  You may obtain a copy of the License at
+##
+## http://www.apache.org/licenses/LICENSE-2.0
+##
+## Unless required by applicable law or agreed to in writing, software
+## distributed under the License is distributed on an "AS IS" BASIS,
+## WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+## See the License for the specific language governing permissions and
+## limitations under the License.
+## ---------------------------------------------------------------------------
+
+
+##########################
+## Define basic objects ##
+##########################
+
+dn: ou=ActiveMQ,ou=system
+objectClass: organizationalUnit
+objectClass: top
+ou: ActiveMQ
+
+dn: ou=Services,ou=system
+ou: Services
+objectClass: organizationalUnit
+objectClass: top
+
+dn: cn=mqbroker,ou=Services,ou=system
+cn: mqbroker
+objectClass: organizationalRole
+objectClass: top
+objectClass: simpleSecurityObject
+userPassword: {SSHA}YvMAkkd66cDecNoejo8jnw5uUUBziyl0
+description: Bind user for MQ broker
+
+
+###################
+## Define groups ##
+###################
+
+
+dn: ou=Group,ou=ActiveMQ,ou=system
+objectClass: organizationalUnit
+objectClass: top
+ou: Group
+
+dn: cn=admins,ou=Group,ou=ActiveMQ,ou=system
+cn: admins
+member: uid=admin,ou=User,ou=ActiveMQ,ou=system
+objectClass: groupOfNames
+objectClass: top
+
+dn: cn=users,ou=Group,ou=ActiveMQ,ou=system
+cn: users
+member: uid=jdoe,ou=User,ou=ActiveMQ,ou=system
+objectClass: groupOfNames
+objectClass: top
+
+
+##################
+## Define users ##
+##################
+
+
+dn: ou=User,ou=ActiveMQ,ou=system
+objectClass: organizationalUnit
+objectClass: top
+ou: User
+
+dn: uid=admin,ou=User,ou=ActiveMQ,ou=system
+uid: admin
+userPassword: {SSHA}YvMAkkd66cDecNoejo8jnw5uUUBziyl0
+objectClass: account
+objectClass: simpleSecurityObject
+objectClass: top
+
+
+dn: uid=jdoe,ou=User,ou=ActiveMQ,ou=system
+uid: jdoe
+userPassword: {SSHA}YvMAkkd66cDecNoejo8jnw5uUUBziyl0
+objectclass: inetOrgPerson
+objectclass: organizationalPerson
+objectclass: person
+objectclass: top
+cn: Jane Doe
+sn: Doe
+
+
+#########################
+## Define destinations ##
+#########################
+
+dn: ou=Destination,ou=ActiveMQ,ou=system
+objectClass: organizationalUnit
+objectClass: top
+ou: Destination
+
+dn: ou=Topic,ou=Destination,ou=ActiveMQ,ou=system
+objectClass: organizationalUnit
+objectClass: top
+ou: Topic
+
+dn: ou=Queue,ou=Destination,ou=ActiveMQ,ou=system
+objectClass: organizationalUnit
+objectClass: top
+ou: Queue
+
+## TEST.FOO
+
+dn: cn=TEST.FOO,ou=Queue,ou=Destination,ou=ActiveMQ,ou=system
+cn: TEST.FOO
+description: A queue
+objectClass: applicationProcess
+objectClass: top
+
+dn: ou=admin,cn=TEST.FOO,ou=Queue,ou=Destination,ou=ActiveMQ,ou=system
+cn: admin
+description: Admin privilege group, members are roles
+member: cn=users,ou=Group,ou=ActiveMQ,ou=system
+member: cn=admins,ou=Group,ou=ActiveMQ,ou=system
+objectClass: groupOfNames
+objectClass: top
+
+dn: ou=read,cn=TEST.FOO,ou=Queue,ou=Destination,ou=ActiveMQ,ou=system
+cn: read
+member: cn=users,ou=Group,ou=ActiveMQ,ou=system
+member: cn=admins,ou=Group,ou=ActiveMQ,ou=system
+objectClass: groupOfNames
+objectClass: top
+
+dn: ou=write,cn=TEST.FOO,ou=Queue,ou=Destination,ou=ActiveMQ,ou=system
+cn: write
+objectClass: groupOfNames
+objectClass: top
+member: cn=users,ou=Group,ou=ActiveMQ,ou=system
+member: cn=admins,ou=Group,ou=ActiveMQ,ou=system
+
+## TEST.FOOBAR
+
+dn: cn=TEST.FOOBAR,ou=Queue,ou=Destination,ou=ActiveMQ,ou=system
+cn: TEST.BAR
+description: A queue
+objectClass: applicationProcess
+objectClass: top
+
+dn: ou=admin,cn=TEST.FOOBAR,ou=Queue,ou=Destination,ou=ActiveMQ,ou=system
+cn: admin
+description: Admin privilege group, members are roles
+member: cn=admins,ou=Group,ou=ActiveMQ,ou=system
+member: cn=users,ou=Group,ou=ActiveMQ,ou=system
+objectClass: groupOfNames
+objectClass: top
+
+dn: ou=read,cn=TEST.FOOBAR,ou=Queue,ou=Destination,ou=ActiveMQ,ou=system
+cn: read
+member: cn=users,ou=Group,ou=ActiveMQ,ou=system
+member: cn=admins,ou=Group,ou=ActiveMQ,ou=system
+member: uid=jdoe,ou=User,ou=ActiveMQ,ou=system
+objectClass: groupOfNames
+objectClass: top
+
+dn: ou=write,cn=TEST.FOOBAR,ou=Queue,ou=Destination,ou=ActiveMQ,ou=system
+cn: write
+objectClass: groupOfNames
+objectClass: top
+member: cn=users,ou=Group,ou=ActiveMQ,ou=system
+member: cn=admins,ou=Group,ou=ActiveMQ,ou=system
+member: uid=jdoe,ou=User,ou=ActiveMQ,ou=system
+
+## FOO.>
+
+dn: cn=FOO.$,ou=Queue,ou=Destination,ou=ActiveMQ,ou=system
+cn: FOO.$
+description: A queue
+objectClass: applicationProcess
+objectClass: top
+
+dn: ou=admin,cn=FOO.$,ou=Queue,ou=Destination,ou=ActiveMQ,ou=system
+cn: admin
+description: Admin privilege group, members are roles
+member: cn=admins,ou=Group,ou=ActiveMQ,ou=system
+member: cn=users,ou=Group,ou=ActiveMQ,ou=system
+objectClass: groupOfNames
+objectClass: top
+
+dn: ou=read,cn=FOO.$,ou=Queue,ou=Destination,ou=ActiveMQ,ou=system
+cn: read
+member: cn=users,ou=Group,ou=ActiveMQ,ou=system
+member: cn=admins,ou=Group,ou=ActiveMQ,ou=system
+objectClass: groupOfNames
+objectClass: top
+
+dn: ou=write,cn=FOO.$,ou=Queue,ou=Destination,ou=ActiveMQ,ou=system
+cn: write
+objectClass: groupOfNames
+objectClass: top
+member: cn=users,ou=Group,ou=ActiveMQ,ou=system
+member: cn=admins,ou=Group,ou=ActiveMQ,ou=system
+
+## BAR.*
+
+dn: cn=BAR.*,ou=Queue,ou=Destination,ou=ActiveMQ,ou=system
+cn: BAR.*
+description: A queue
+objectClass: applicationProcess
+objectClass: top
+
+dn: ou=admin,cn=BAR.*,ou=Queue,ou=Destination,ou=ActiveMQ,ou=system
+cn: admin
+description: Admin privilege group, members are roles
+member: cn=admins,ou=Group,ou=ActiveMQ,ou=system
+member: cn=users,ou=Group,ou=ActiveMQ,ou=system
+objectClass: groupOfNames
+objectClass: top
+
+dn: ou=read,cn=BAR.*,ou=Queue,ou=Destination,ou=ActiveMQ,ou=system
+cn: read
+member: cn=users,ou=Group,ou=ActiveMQ,ou=system
+member: cn=admins,ou=Group,ou=ActiveMQ,ou=system
+objectClass: groupOfNames
+objectClass: top
+
+dn: ou=write,cn=BAR.*,ou=Queue,ou=Destination,ou=ActiveMQ,ou=system
+cn: write
+objectClass: groupOfNames
+objectClass: top
+member: cn=users,ou=Group,ou=ActiveMQ,ou=system
+member: cn=admins,ou=Group,ou=ActiveMQ,ou=system
+
+#######################
+## Define advisories ##
+#######################
+
+dn: cn=ActiveMQ.Advisory.$,ou=Topic,ou=Destination,ou=ActiveMQ,ou=system
+cn: ActiveMQ.Advisory.$
+objectClass: applicationProcess
+objectClass: top
+description: Advisory topics
+
+dn: ou=read,cn=ActiveMQ.Advisory.$,ou=Topic,ou=Destination,ou=ActiveMQ,ou=system
+cn: read
+member: cn=admins,ou=Group,ou=ActiveMQ,ou=system
+member: cn=users,ou=Group,ou=ActiveMQ,ou=system
+objectClass: groupOfNames
+objectClass: top
+
+dn: ou=write,cn=ActiveMQ.Advisory.$,ou=Topic,ou=Destination,ou=ActiveMQ,ou=system
+cn: write
+member: cn=admins,ou=Group,ou=ActiveMQ,ou=system
+member: cn=users,ou=Group,ou=ActiveMQ,ou=system
+objectClass: groupOfNames
+objectClass: top
+
+dn: ou=admin,cn=ActiveMQ.Advisory.$,ou=Topic,ou=Destination,ou=ActiveMQ,ou=system
+cn: admin
+member: cn=admins,ou=Group,ou=ActiveMQ,ou=system
+member: cn=users,ou=Group,ou=ActiveMQ,ou=system
+objectClass: groupOfNames
+objectClass: top
+
+######################
+## Define temporary ##
+######################
+
+dn: ou=Temp,ou=Destination,ou=ActiveMQ,ou=system
+objectClass: organizationalUnit
+objectClass: top
+ou: Temp
+
+dn: ou=read,ou=Temp,ou=Destination,ou=ActiveMQ,ou=system
+cn: read
+member: cn=admins,ou=Group,ou=ActiveMQ,ou=system
+member: cn=users,ou=Group,ou=ActiveMQ,ou=system
+objectClass: groupOfNames
+objectClass: top
+
+dn: ou=write,ou=Temp,ou=Destination,ou=ActiveMQ,ou=system
+cn: write
+member: cn=admins,ou=Group,ou=ActiveMQ,ou=system
+member: cn=users,ou=Group,ou=ActiveMQ,ou=system
+objectClass: groupOfNames
+objectClass: top
+
+dn: ou=admin,ou=Temp,ou=Destination,ou=ActiveMQ,ou=system
+cn: admin
+member: cn=admins,ou=Group,ou=ActiveMQ,ou=system
+member: cn=users,ou=Group,ou=ActiveMQ,ou=system
+objectClass: groupOfNames
+objectClass: top