Acredito que você esteja adotando uma abordagem mais complicada do que o necessário. Para desativar um DIT, desative seu banco de dados correspondente. Isso pode ser feito definindo olcHidden: TRUE
.
olcHidden: TRUE | FALSE
Controls whether the database will be used to answer queries. A database that is hidden will never be selected to answer any queries, and any suffix configured on the database will be ignored in checks for conflicts with other databases. By default, olcHidden is FALSE.
ldapmodify <<EOF
dn: olcDatabase={2}hdb,cn=config
replace: olcHidden
olcHidden: TRUE
EOF
Nota adicional:
Regardless of what access control policy is defined, the rootdn is always allowed full rights (i.e. auth, search, compare, read and write) on everything and anything.
As a consequence, it's useless (and results in a performance penalty) to explicitly list the rootdn among the clauses. --
OpenLDAP Software 2.4 Administrator's Guide