This requirement is part for the MVP definition for 4.0.0.
- the proxy code is 100% SDK API, yet the access control handler uses server API so we'll need to use the various adapters. This could be tricky depending on how much "server" API the ACI handler depends on, e.g. DirectoryServer.getEntry(), ClientConnection, etc
- what support should be provided? We cannot do fine grained access control for write operations because we don't have access to the targeted entry's content. Similarly, we cannot easily do fine grained access control for searches, because not all attributes will be included in the entries returned by the remote server. We may be able to support most user/group primitives, especially if the backend server supports post-read for bind requests which could return the user's entry and group DNs.