Note that this is only needed if you have to ensure the integrity of inter-related LDAP entries. So this depends on your deployment, especially the writing LDAP client applications. But thinking more thoroughly about this it could be also a problem if a client application trys to modify several entries and you're switching to read-only mode in between as preparation for a backup. Even if the application would theoretically be capable of rolling back all the changes it wouldn't help since the LDAP server is read-only then. So the solution would be rather to really make sure that no admin/provisioning application is running anymore. I think the admin guide could clarify this.