While we're thinking about ACLs, it would make sense to structure them
hierarchically instead of in a flat list. The current structure is a bit
silly if you have 40 different non-intersecting dn.subtree rules, because
they all still have to be checked even though maybe only one of them
applies. If ACLs were structured in a way that paralleled the actual
hierarchy of the DIT, a lot of extraneous checks could be eliminated.
Of course, if you're going to duplicate the DIT's hierarchical layout
anyway, you might as well just merge the ACLs into the DIT itself. Oh
wait, that's an ACI. Hm, what does *that* mean, I wonder....
Following any of these suggested changes to their logical *conclusion*
means making a lot of far-reaching, fundamental changes to the structure
of the server. For the moment, I'm content with only going one or two
steps down each path, and not pursuing them to their ultimate conclusion.