The extop keyword can be used to indicate whether a given extended request operation can be used. Multiple OIDs can be provided by separating them with the two pipe characters (optionally surrounded by spaces). Wildcards are not allowed when specifying extended request OIDs.

The following ACI allows the uid=user-mgr to use the Password Modify Request (i.e., OID= and the StartTLS (i.e., OID= extended request OIDs.

aci:(extop=" ||")
  (version 3.0; acl "Allows the mgr to use the Password Modify Request and StartTLS;
   allow(read) userdn="ldap:///uid=user-mgr,ou=people,dc=example,dc=com";)