diff --git a/servers/slapd/acl.c b/servers/slapd/acl.c
index ac2500cf4d..f50005d09f 100644
--- a/servers/slapd/acl.c
+++ b/servers/slapd/acl.c
@@ -33,6 +33,12 @@ static int aci_mask(
 	Operation *op,
 	Entry *e, char *attr, struct berval *val, struct berval *aci,
 	regmatch_t *matches, slap_access_t *grant, slap_access_t *deny );
+
+char *supportedACIMechs[] = {
+				"1.3.6.1.4.1.4203.666.7.1",	/* experimental draft aci family */
+				"1.3.6.1.4.1.4203.666.7.2",	/* experimental OpenLDAP aci family */
+				NULL
+		};
 #endif
 
 static int	regex_matches(char *pat, char *str, char *buf, regmatch_t *matches);
@@ -941,12 +947,12 @@ aci_mask (
 {
     struct berval bv, perms, sdn;
     char *subjdn;
-	int rc;
+	int rc, i;
 
 	/* parse an aci of the form:
 		oid#scope#action;rights;attr;rights;attr$action;rights;attr;rights;attr#dnType#subjectDN
 
-	   See draft-ietf-ldapext-aci-model-0.3.txt section 9.1 for
+	   See draft-ietf-ldapext-aci-model-04.txt section 9.1 for
 	   a full description of the format for this attribute.
 
 	   For now, this routine only supports scope=entry.
@@ -956,6 +962,16 @@ aci_mask (
 	if (aci_get_part(aci, 4, '#', NULL) < 0)
 		return(0);
 
+	/* check that the aci family is supported */
+	if (aci_get_part(aci, 0, '#', &bv) < 0)
+		return(0);
+	for (i = 0; supportedACIMechs[i] != NULL; i++) {
+		if (aci_strbvcmp( supportedACIMechs[i], &bv ) == 0)
+			break;
+	}
+	if (supportedACIMechs[i] == NULL)
+		return(0);
+
 	/* check that the scope is "entry" */
 	if (aci_get_part(aci, 1, '#', &bv) < 0
 		|| aci_strbvcmp( "entry", &bv ) != 0)
@@ -1021,6 +1037,15 @@ aci_mask (
 
 	return(0);
 }
+
+char *
+get_supported_acimech (int index)
+{
+	if (index < 0 || index >= (sizeof(supportedACIMechs) / sizeof(char *)))
+		return(NULL);
+	return(supportedACIMechs[index]);
+}
+
 #endif	/* SLAPD_ACI_ENABLED */
 
 static void