There is an issue in the roadmap with the explanation "make sure userPassword cannot be searched". As far as I know this is a bug (https://issues.apache.org/jira/browse/DIRSERVER-997
) and is also special case of another bug (https://issues.apache.org/jira/browse/DIRSERVER-955). AS soon as we fix DIRSERVER-955 this problem will also be gone. However, if we're talking controlling this in the DefaultAuthorizationService then it's ok as a new issue and it's easy to fix.
Anything else I am missing?