In DSEE, if the server encounters a malformed access control rule, it simply ignores that rule without any warning. If this occurs, then the server will be running with less than the intended set of ACIs, which may prevent access to data that should have been allowed or, worse yet, may grant access to data that should have been restricted.
The PingDirectory Server is much more strict about the
access control rules that it will accept. When performing an LDIF import, any entry containing
a malformed or unsupported access control rule will be rejected. Similarly, any add or modify
request that attempts to create an invalid ACI will be rejected. In the unlikely event that a
malformed ACI does make it into the data, then the server immediately places itself in
lockdown mode, in which the server terminates connections and rejects requests from users
without the lockdown-mode
privilege. Lockdown mode allows an administrator to
correct the problem without risking exposure to user data.