Quanah Gibson-Mount writes:
With OpenLDAP 2.3, it will be possible to replace all your *.conf
files with the new back-config DB. This will allow ACL's to be
modified on the fly, and remove the need for ACI's at all. ACL's are
somewhat more powerful than ACI's, so I myself see little reason for
them to even remain once OL 2.3 is released.
Our site needed ACIs when employees could choose to make their
entries or selected attributes in them visible to only some people.
Well, it would be possible to introduce a 'hide' attribute instead
and insert a bunch of statements like this in slapd.conf:
access to filter=(hide=mail:foo) attrs=mail
by <foo> none
by * none break
but this is not exactly elegant, it scales poorly and it's also
easy to make a typo in the ACLs.