Many directory servers allow for a less restrictive application of their access control instructions so that they accept invalid ACIs. For example, if an Oracle directory server encounters an access control rule that it can't parse, it ignores the rule without providing a warning, and the server might not offer the intended access protection. The Server rejects any ACIs that it can't interpret, which ensures that data access is limited as intended. However, this can cause problems when migrating data with existing access control rules to a The Server.

To validate an ACI, the Server provides a validate-acis tool in the bin directory on UNIX or Linux systems or in the bat directory on Windows systems.

The validate-acis tool identifies any ACI syntax problems before you migrate data. The tool can examine access control rules contained in either an LDIF file or an LDAP directory and write its result in LDIF with comments providing information about any problems that were identified.

Each entry in the output contains a single ACI. If an entry in the input contains multiple ACIs, then it can be present multiple times in the output, each time with a different ACI value. The entries contained in the output contains only ACI values. All other attributes are ignored.