I think this is the very important part here -- deprecated and discouraged. I'd argue that long term, ACI support should be removed entirely (perhaps for 2.5?). The entire concept of ACI's is broken.

Is it really so bad? I mean, I actually don't now, you're probably right if you say so, anyway I'd really regret such feature to be discontinued. I was testing it very long ago, and, nevertheless its complexity and its experimental flavour, the concept itself was very exciting. I was hoping someday this will be implemented in tested/documented and stable version. Dynamic ACL would be probably really useful thing. Anyway the actual implementation is another point, maybe ACI's is not really best of possible, I don't know. Commercial directory service implementation does have such feature or not? I bet they have. Maybe some concept based on special-kind db like cn=config, or cn=Monitor should do the work better than keeping dynacl with the entries themselves? Actually, regarding - conceptually - unix/posix standard, if we compare ldap entries simply to a "virtual files" (note the "file" original meaning), isn't it somekind of "dynamic acl", the way classic Unix file priviledges are stored? there are some bits describing priviledges and ownerships, which are actually stored _with_ files, aren't they? Imagine that someone could say, that "the entire priviledges and ownerships concept in Unix is broken", wouldn't that sound a little bit em. weird? :) Of course, there are concept limitations we all know, and there are better or worse workarounds for them, actually hundreds of extended acl things for various local and network filesystems, anyway, despite limitations, what could do the work better than such (actually simple in its basics) concept ? Back to the ACIs - is it to be discontinued, because people like me didn't test it enough, and didn't provide enough of feedback? :) This would make me sad :/ Regards, Piotr