The PingDirectory Server offers a lockdown mode in which it reports itself as
unavailable and only allows requests from clients with the lockdown-mode
privilege.
Lockdown mode provides a way for the server to be online so that administrators can investigate a problem or perform some disruptive administrative action, but in a manner that causes it to be unavailable to most clients.
The PingDirectory Server can automatically place itself in lockdown mode under certain circumstances. Some of these include:
- If the access control handler encounters a malformed access control rule on startup. The server does its best to prevent invalid access control rules from being created, but if one does make it through, the server enters lockdown mode rather than running with a potentially incomplete access control policy.
- If an unrecoverable error occurs while interacting with a backend database
based on the
unrecoverable-database-error-mode
global configuration property. - If the server is missing replication changes that are no longer available
in the replication database based on the
lockdown-on-missed-replication-changes
global configuration properly. - If available disk space gets too low, as determined by the disk space usage monitor provider’s low-space-error-size-threshold and low-space-error-percent-threshold properties.
- If an error occurs while attempting to log a message based on the
logging-error-behavior
property in the log publisher configuration.
The server can also be placed in lockdown mode at any time using the
enter-lockdown-mode
command-line tool, or the enter lockdown mode
administrative task that the tool uses behind the scenes. The start-server command also
provides a --lockdownMode
argument that can be used to make the server
enter lockdown mode before startup completes.
Once the server enters lockdown mode, that mode stays in effect until the server is restarted
or until the leave-lockdown-mode
command or the underlying
administrative task is used. Lockdown mode does not persist across server restarts
unless it is automatically triggered by a condition that still exists after the
restart.