One idea I had was to use dn/{base,one,subtree,children,regex} where
regex was the default (for compatibility).
OK, this is what I'm planning on. There will still be "dn", which
implies "dn/regex" as you wrote. In each ACL, should we allow for
only one instance of the five possible types, or for one instance of
_each_ of the five types? What is an example where you'd want the
latter?
Would be nice if this could apply to groups as well.... hmm...