It is used to lock system programs and config files in memory so that if a DOS attack is experienced then the chance of the sys-admin regaining control of the system in a reasonable amount of time (and therefore having a reasonable chance of discovering the cause of the problem) is significantly increased.
The -d option specifies debugging mode, the program will not fork and will produce it's logging messages on stderr instead of via syslog.
The -u option specifies the name of a user to use for running ldd (for recursive operation). Note that locking shared objects that are writable by non-root is not safe, but using a different UID will reduce the risk.
The config file will contain a number of fully qualified names of files to lock in RAM. When locking shared objects and ELF binaries it is possible to prefix the file name with a + character to indicate that memlockd should recursively lock all shared objects that the program requires and all shared objects that those objects require.