Quoting Pierangelo Masarati ando@sys-net.it:
Finally, right now access control on OpenLDAP's slapd can be modified without the need to stop and restart it, by means of cn=config;
Sounds cool. I'll have a look at it. But I gather that is just ACL's in the database?
And the very consept of ACL is worse than whatever you can think of regarding ACI's. If I want to give ONE user access to ONE attribute in ONE object (and many such rules), then ACLs would very quickly become ... unmanagable. With ACI's its very obvious and simple...
there is work in progress to allow configuration replication. As such, OpenLDAP offers better means to achieve the same purpose without ACIs, with the access determinism guaranteed by avoiding the use of ACIs.
I argue against the word 'same'. But the meaning of the exact word I guess you're right, I'd say just _a lot_ more complicated/unmanagable in the long run...