ldap object access controls

[William Brown]

Hi,

I'm currently trying to understand the samba4/ad ldap object access
control for search and how to manipulate these.

Looking at various objects I can't seem to see where AD is storing the
ACE entries, even though you can "edit" them via ADSI and the like.

What attribute of the object are the ACE attributes stored in and how
can I modify these via the ldap interface? Any documentation or
references about this topic would be excellent,

Thank you!