Re: Please comment

One idea I had was to use dn/{base,one,subtree,children,regex} where
regex was the default (for compatibility).

OK, this is what I'm planning on. There will still be "dn", which implies "dn/regex" as you wrote. In each ACL, should we allow for only one instance of the five possible types, or for one instance of _each_ of the five types? What is an example where you'd want the latter?

Would be nice if this could apply to groups as well.... hmm...

Not sure what you're getting at.