The Directory Server provides tools to enter and leave
lockdown mode if the server requires a security lockdown. In lockdown mode, only users with
lockdown-mode privilege can perform operations, while those without the
privilege are rejected. Root users have this privilege by default; other administrators can be
given this privilege. Lockdown mode can also be configured as a recurring task.
The Directory Server can be manually placed into lockdown mode to perform some administrative operation while ensuring that other client requests are not allowed to access any data in the server. In addition, some configuration problems (particularly problems that could lead to inadvertent exposure of sensitive information, like an access control rule that cannot be properly parsed) cause the server to place itself in lockdown mode, so that an administrator can manually correct the problem. Lockdown mode does not persist across restarts. The directory server can be taken out of lockdown mode by using either the leave-lockdown-mode tool or by restarting the server. If administrators want to start a server in lockdown mode, they can use the start-server --lockdownMode option.
Any client request to the Directory Server in lockdown mode receives an "Unavailable" response.