* Howard Chu:
Look at the volume of messages on this list related to ACLs - clearly, most OpenLDAP admins are both conscious of and conscientious about using effective ACLs.
I think the concern here is access control mechanisms fed from LDAP, not access to the LDAP database itself.
Quite a few AAA systems have configurable LDAP search filters with placeholders and construct the final filter string using simple concatenation. Manipulated filter strings could trick the system into loading (and eventually applying) the wrong set of access controls.
It might make sense for OpenLDAP to provide a version of ldap_search_ext which separates the filter and any parameters contained in it, or provide means to construct filters in a way that is more robust than string concatenation.