Now I'm looking to write an extended operation based on the
standard, ACI or AACLs access model to allow operations testing.
There was a 'get effective rights' extended operation
defined in the old IETF access control work:
http://www.watersprings.org/pub/id/draft-ietf-ldapext-acl-model-01.txt
I _think_ that what you are proposing is either similar or identical
to the get effective rights operation.
At least a few LDAP servers implement something like this, e.g. :
http://enterprise.netscape.com/docs/directory/621/relnotes/ger.html