Brian Empson wrote:
Is it possible to load ACI support as a module? It would really help when installing from a precompiled package, all of which seem to turn off this very powerful feature. (I really like it anyway)
The source code is there, build it however you like. One of the reasons open source software exists is to free you from whatever limitations are imposed by a binary provider. If you tie yourself to precompiled packages that don't do exactly what you want, you're somewhat missing the point.
ACIs are a security liability from a centralized administration perspective. They are intrinsically difficult to audit and difficult to track. Use of ACIs can make it impossible to prove that a given deployment correctly implements a formally defined security policy. IME, people who are fond of ACIs either don't understand the security risks, or don't care.
-- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/