If the server is running with less than the intended set of access control instructions (ACIs), it might prevent access to data that should be allowed or grant access to data that should be restricted. In DSEE, if the server encounters a malformed access control rule (ACR), it ignores the rule. This can cause the server to run with less than the intended set of ACIs. To guard against this, the PingDirectory Server is more strict about the ACRs that it accepts.

When performing an LDIF import, the PingDirectory Server rejects any entry containing a malformed or unsupported ACR. The PingDirectory Server also rejects any add or modify request that attempts to create an invalid ACI.

In the unlikely event that a malformed ACI is accepted into the data, the server immediately places itself in lockdown mode. In lockdown mode, the server terminates connections and rejects requests from users without the lockdown-mode privilege. Lockdown mode allows an administrator to correct the problem without risking exposure to user data.


To review any rejected ACIs, run the import-ldif tool with the --rejectFile option.