ACLs are generally associated with a single object in a user's Mailbox, either a folder or a tag. As such, the ACLs should probably be persisted in the user's database; we've always shied away from allowing LDAP entries to refer directly to Mailbox items because of the complexities in keeping the two stores in sync. Also, reducing writes to LDAP is usually advisable because of the limited write throughput on the master.
In the mailbox, the METADATA column on the MAIL_ITEM row for the folder or tag eems like the right place to serialize ACL data. We automatically load that data when the folders and tags are loaded, so it won't require either extra joins or extra fetches during the folder/tag preload. Those folder and tag objects are kept cached for the lifetime of the Mailbox, so it also won't require subsequent database accesses when checking item
permissions. And the METADATA contents are automatically deleted when the folder or tag's row is deleted, so cleanup is trivial.