I used this FAQ entry to use set-based ACLs for my current task:
"We could make this more powerful (and more complex and costly to compute) by allowing base sets to be built from LDAP filters. This is something to consider, because the combination of filters and sets (which have little overlap in what they can express) is very powerful. This is partially provided by the URI expansion capability."
Was this ever implemented? It would be helpful. IMO using 'this' and/or 'user' in [ldap://] sets would make evaluating the set-based <who> clause faster if attributes used in LDAP URLs are properly indexed.
Background: My aim is to configure Linux clients all the same (search base, filter etc.) but let each *machine* individually authenticate against OpenLDAP server. Then only the users who are members of groups with login rights on this particular server should be visible to the Linux client. So the goal is to filter user/groups at the OpenLDAP server and *not* in the Linux client (e.g. by sssd configuration or similar). For now it seems only possible to do this with set-based ACLs given all the requirements I have.