Ahh great points Howard!  I did not at all think of these use cases and they make perfect sense.  Sounds though this is not an absolute must be something we can take our time in implementing.  Perhaps it's  better to take more time doing it right with partition nesting than finding a quick hack to make this work right now.

Thanks again!

On Tue, May 6, 2008 at 9:40 AM, Howard Chu <hyc@symas.com> wrote:
Alex Karasulu wrote:
No need to quote the RFC with me, I know that it can be subject to
access control - read my question. You know of situations when it is
actually set to anything but read-only by everyone?

There are cases where MacOS admins remove access to the supportedSASLMechanisms attribute, to prevent the clients from attempting SASL Binds. I don't recall all the reasons behind it, but suffice to say it's mostly just a bandaid over a buggy SASL implementation.

You may also want to hide certain values from the supportedControls/supportedExtensions attributes, so that only particularly authenticated clients can see certain controls. (And furthermore you may want to prevent these controls/extensions from being used by various users...)

 -- Howard Chu
 CTO, Symas Corp.           http://www.symas.com
 Director, Highland Sun     http://highlandsun.com/hyc/
 Chief Architect, OpenLDAP  http://www.openldap.org/project/