The second method for access control inserts access control information inside the directory itself. The advantage is that now the access control rules get propagated by the replication process. Unfortunately, the standard for doing this in a way that is interoperable between servers of different vendors (this did not matter in the static config case) has not been finished and exists only as an Internet Draft (i.e. no RFC has been published and the specification might not even get enough consensus for an RFC to be published ever). OpenLDAP 2.0 implements only in part the proposed draft and will try to track changes to it. That means the access control information you so carefully defined in your directory now suddenly means something completely different from what you intended. For this reason, this method is not available by default and requires configuring with --enable-aci. In other words, we recommend not to use this method at present. Anyway, notice that the ACI model currently being considered may be difficult to implement as efficiently as the static method. Also notice that unauthorized access to the ACI information may permit attackers to gain additional permissions on the directory itself, so you will probably have to take extra care with the access rights you grant. See also ACI.