The Directory Server ensures that all access control rules (ACRs) added over LDAP are valid and can be fully parsed. The Directory Server rejects any operation that attempts to store one or more invalid ACIs. It also validates ACIs contained in data imported from an LDIF file. The Directory Server rejects any entry containing a malformed aci value.

As an additional level of security, the Directory Server examines and validates all ACIs stored in the data whenever a backend is brought online. If the server finds any malformed ACIs in the backend, it generates an administrative alert to notify administrators of the problem and places itself in lockdown mode. While in lockdown mode, the server only allows requests from users who have the lockdown-mode privilege. This action allows administrators to correct the malformed ACI while ensuring that no sensitive data is inadvertently exposed because of an ACI not being enforced. When the problem has been corrected, the administrator can use the leave-lockdown-mode tool or restart the server to allow it to resume normal operation.