diff --git a/manifests/config.pp b/manifests/config.pp
index 356eeb4..f67abd6 100644
--- a/manifests/config.pp
+++ b/manifests/config.pp
@@ -20,4 +20,18 @@
     group   => 'root',
     mode    => '0644',
   }
+
+  if $qpid::acl_content {
+    $acl_file_ensure = file
+  } else {
+    $acl_file_ensure = absent
+  }
+
+  file { $qpid::acl_file:
+    ensure  => $acl_file_ensure,
+    owner   => 'root',
+    group   => 'qpidd',
+    mode    => '0640',
+    content => $qpid::acl_content,
+  }
 }
diff --git a/manifests/init.pp b/manifests/init.pp
index 9008664..e190706 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -6,6 +6,10 @@
 #
 # $log_level::                Logging level
 #
+# $acl_file::                 File name for Qpid ACL
+#
+# $acl_content::              Content for Access Control List file
+
 # === SSL parameters
 #
 # $auth::                     Use SASL authentication
@@ -61,6 +65,8 @@
   String $version = $qpid::params::version,
   Boolean $auth = $qpid::params::auth,
   String $config_file = $qpid::params::config_file,
+  Optional[String] $acl_content = $qpid::params::acl_content,
+  String $acl_file = $qpid::params::acl_file,
   String $log_level = $qpid::params::log_level,
   Boolean $log_to_syslog = $qpid::params::log_to_syslog,
   Optional[String] $interface = $qpid::params::interface,
diff --git a/manifests/params.pp b/manifests/params.pp
index 7a8c351..e669b73 100644
--- a/manifests/params.pp
+++ b/manifests/params.pp
@@ -5,6 +5,9 @@
   $version = 'installed'
   $auth = false
 
+  $acl_content = undef
+  $acl_file = '/etc/qpid/qpid.acl'
+
   $config_file = '/etc/qpid/qpidd.conf'
 
   $log_level = 'error+'
diff --git a/manifests/router/connector.pp b/manifests/router/connector.pp
index dbfa976..cf4f779 100644
--- a/manifests/router/connector.pp
+++ b/manifests/router/connector.pp
@@ -6,6 +6,10 @@
 #   Port to listen on
 # @param sasl_mech
 #   SASL mechanism to use
+# @param sasl_username
+#   SASL username
+# @param sasl_password
+#   SASL password
 # @param role
 #   Listener role
 # @param ssl_profile
@@ -16,6 +20,8 @@
   String $host = '127.0.0.1',
   Integer[0, 65535] $port = 5672,
   Optional[String] $sasl_mech = 'ANONYMOUS',
+  Optional[String] $sasl_username = undef,
+  Optional[String] $sasl_password = undef,
   Optional[Enum['normal', 'inter-router', 'route-container']] $role = undef,
   Optional[String] $ssl_profile = undef,
   Optional[Integer[0]] $idle_timeout = undef,
diff --git a/spec/classes/qpid_spec.rb b/spec/classes/qpid_spec.rb
index c82a749..5019d2b 100644
--- a/spec/classes/qpid_spec.rb
+++ b/spec/classes/qpid_spec.rb
@@ -67,6 +67,30 @@
         end
       end
 
+      context 'with ACL file' do
+        let :params do
+          super().merge(
+            acl_file: "/etc/qpid/qpid.acl",
+            acl_content: "allow all all"
+          )
+        end
+
+        it 'should create configuration file' do
+          verify_exact_contents(catalogue, '/etc/qpid/qpidd.conf', [
+            'acl-file=/etc/qpid/qpid.acl',
+            'log-enable=error+',
+            'log-to-syslog=yes',
+            'auth=no',
+          ])
+        end
+
+        it 'should create ACL file' do
+          verify_exact_contents(catalogue, '/etc/qpid/qpid.acl', [
+            'allow all all',
+          ])
+        end
+      end
+
       context 'with ssl options' do
         let :params do
           super().merge(
diff --git a/spec/defines/router_connector_spec.rb b/spec/defines/router_connector_spec.rb
index 1881738..4daea52 100644
--- a/spec/defines/router_connector_spec.rb
+++ b/spec/defines/router_connector_spec.rb
@@ -9,6 +9,8 @@
       port: 5672,
       role: "inter-router",
       ssl_profile: "router-ssl",
+      sasl_username: "qpid_user",
+      sasl_password: "qpid_password",
       idle_timeout: 0,
       config_file: '/etc/qpid-dispatch/qdrouterd.conf',
     }
@@ -22,6 +24,8 @@
       '    host: 127.0.0.1',
       '    port: 5672',
       '    sasl-mechanisms: ANONYMOUS',
+      '    sasl-username: qpid_user',
+      '    sasl-password: qpid_password',
       '    role: inter-router',
       '    ssl-profile: router-ssl',
       '    idle-timeout-seconds: 0',
diff --git a/templates/qpidd.conf.erb b/templates/qpidd.conf.erb
index 63e738d..61547f0 100644
--- a/templates/qpidd.conf.erb
+++ b/templates/qpidd.conf.erb
@@ -27,6 +27,9 @@
 # (Note: no spaces on either side of '='). Using default settings:
 # "qpidd --help" or "man qpidd" for more details.
 #cluster-mechanism=ANONYMOUS
+<% unless [nil, :undefined, :undef, ''].include?(scope['qpid::acl_content']) -%>
+acl-file=<%= scope['qpid::acl_file'] %>
+<% end %>
 log-enable=<%= scope['qpid::log_level'] %>
 log-to-syslog=<%= scope['qpid::log_to_syslog'] ? 'yes' : 'no' %>
 auth=<%= scope['qpid::auth'] ? 'yes' : 'no' %>
diff --git a/templates/router/connector.conf.erb b/templates/router/connector.conf.erb
index cf96c0d..aec1cab 100644
--- a/templates/router/connector.conf.erb
+++ b/templates/router/connector.conf.erb
@@ -3,6 +3,12 @@ connector {
     host: <%= @host %>
     port: <%= @port %>
     sasl-mechanisms: <%= @sasl_mech %>
+<% unless [nil, :undefined, :undef, ''].include?(@sasl_username) -%>
+    sasl-username: <%= @sasl_username %>
+<% end -%>
+<% unless [nil, :undefined, :undef, ''].include?(@sasl_password) -%>
+    sasl-password: <%= @sasl_password %>
+<% end -%>
 <% unless [nil, :undefined, :undef, ''].include?(@role) -%>
     role: <%= @role %>
 <% end -%>