We are developing a webbased opensource identity management solution which includes a graphical frontend to manage openldap ACLs. Previously we were using Cn=config and 'standard' ACLs to manage our tree but we later moved on to OpenLdap ACIs for in-tree ACLs.
Gavin Henry suggested that I take this discussion to the list since ACIs are not being actively maintained and its advisable to move to the 'normal' openldap ACLs. My problem with that model is that management through a graphical interface becomes VERY ugly (parsing and rendering text acls, maintaining priority, managing referential integrity if a dn is deleted, etc). I have found OpenLdapACIs extremely handy to use for my task.
We are willing to provide resources/dev time in the future for the support of OpenLDAP ACIs since its crucial to our project. I wanted to know if support/interest is the ONLY problem or are there fundamental flaws in the way ACIs work?