The installation guide provides the setting required for ACI to the OpenDJ.
However the issue is that on OpenDJ 5.x nowadays there is an option called --productionMode (which is a hardened configuration). The issue
is that if this is enabled, a lot of things will break in OpenAM as there will be missing ACI not granted to the non-root binding user.
Also it's possible also that user login for password-policy control may not be there as it is also not there by default.
1. Install OpenDJ in productionMode
2. Install OpenAM to use the external configuration.
3. Use this to access OpenAM to create session and what the Session logs if CTS have issues, change some password to see if they succeed.
CTS may have permission issue. eg:
Doing password change may have issues too due to lack of schema access.
Define the necessary ACIs manually
OpenAM assumes default ACI setting and then add the extra required ACI. So if we start from the harden state, missing ACI or conditions are not taken care of or listed in the docs.