On the topic of access control... The draft states:
'Servers MUST ensure that the value returned in the numSubordinates
attribute to clients is consistent with the view that client has of other
server contents.'
It has been established that this means that Access Controls should be taken
into consideration when returning the numSubordinates value.
I think the draft should be a little more specific though. Depending on what
the intended use-case of numSubordinates is, a statement should exist
regarding which permissions should be assessed when returning a
numSubordinates value.
E.g..
* Is the decision based on modify or read permissions?
* What happens if the entry's DN can be returned in a search, but the user
is not allowed to browse its contents?
* Which Access Control specification are we referring to? (BAC as defined in
X501, or the old draft-ietf-ldapext-acl-model-xx.txt)