Check during 3.4 and create a HowTo wiki page describing the steps.
If there are some issues with the existing ACI system we should probably fix them. We would have to triage then and there after investigation.

Use managedby attribute to control access

See discussion with testing and proposal for API in freeipa-devel list:

http://www.redhat.com/archives/freeipa-devel/2014-April/msg00292.html

The actual implementation won't fit in 4.0 though, thus moving to next version.

The API proposed in comment:4 is just an example, it may be more flexible to just use userattr contents:

# ipa permission-add test --bindtype=userattr --bind-userattr="creatorsname#USERDN"

Documentation for this part of the ACI: https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/8.2/html/Administration_Guide/Managing_Access_Control-Bind_Rules.html

Moving to 4.3, we are too close to 4.2 deadline to be able to handle stretch RFEs.

Thank you taking time to submit this request for FreeIPA. Unfortunately this bug was not given priority and the team lacks the capacity to work on it at this time.

Given that we are unable to fulfil this request I am closing the issue as wontfix. To request re-consideration of this decision please reopen this issue and provide additional technical details about its importance to you.