Enforce limits

Enforce application and user limits to protect against a denial of service.

Description

Estimated time to complete: 20 minutes

DS has many settings to prevent client applications from using more than their share of directory resources.

Don’t disable global limit settings.

Lift restrictions for specific trusted client applications, accounts, or groups.

Goals

In completing this use case, you learn:

The DS alternatives for enforcing limits.
How to change limits.
The result codes when an application exceeds a limit.

Example scenario

As a directory service administrator, Pat knows directory services are critical for identity applications.

To prevent performance problems and denial of service, Pat wants to restrict what a misbehaving client can do. Pat also wants to make it easy for applications and users to take advantage of directory services.

Pat knows DS offers many options to set limits and aims to review them in light of the directory service requirements.

Prerequisites

Knowledge

Before you start:

Make sure you are familiar with working with the command line on your operating system.
If you’re new to directory services, work through the examples to learn LDAP.

Actions

Before you try the sample commands, install a DS server in evaluation mode.

Tasks

Task 1: Review enforceable limits

The following tables list available options for enforcing limits. To change limits for:

A single ldapsearch command, use the size or time limit options.
An application, user or group of accounts, set operational attributes.
A DS server, update configuration settings with the dsconfig command.

`ldapsearch` options
Limit	Option to use
Size limit	`ldapsearch --sizeLimit <number>`
Time limit	`ldapsearch --timeLimit <number-of-seconds>`

Operational attributes
Attribute	What it overrides
`ds-rlim-idle-time-limit: <number-of-seconds>`	How long an idle connection remains open.
`ds-rlim-size-limit: <number>`	The maximum number of entries returned for a search.
`ds-rlim-time-limit: <number-of-seconds>`	The maximum processing time for a search operation.

Request limit settings
Setting	Scope	Description
max-request-size	Connection handler¹	The maximum size request this connection handler allows. When client applications add groups with large numbers of members, for example, requests can exceed the default limit. This setting affects only the size of requests, not responses. Default: 5 megabytes

¹ HTTP and LDAP connection handlers have this setting.

Connection limits¹
Setting	Scope	Description
allowed-client	Global, Connection handler²	The client applications that DS accepts connections from identified by hostname or IP address. Default: not set
denied-client	Global, Connection handler²	The client applications that DS refuses connections from identified by hostname or IP address. Default: not set
idle-time-limit	Global	The maximum number of seconds a client connection may remain established since its last completed operation. If the network drops idle connections, set this to a lower value than the idle time limit for the network. This is particularly useful when networks drop idle connections without notification and without closing the connection. It ensures DS shuts down idle connections in an orderly fashion. DS servers do not enforce idle timeout settings for persistent searches. Default: `0` (seconds), meaning no limit
max-allowed-client-connections	Global	The total number of concurrent client connections DS accepts. Each connection uses memory. On Linux systems, each connection uses a file descriptor. Default:`0`, meaning no limit
restricted-client	Global, Connection handler²	The client applications DS limits to `restricted-client-connection-limit` connections. Default: not set
restricted-client-connection-limit	Global, Connection handler²	The maximum number of concurrent connections for specified clients. Default: `100` (connections)

¹ DS applies the settings in this order:

If the denied-client property is set, DS denies connections from any client matching the settings.
If the restricted-client property is set, DS counts the connections from any client matching the settings.

If a matching client exceeds restricted-client-connection-limit connections, DS refuses additional connections.
If the allowed-client property is set, DS lets any client matching the settings connect.
If the limits are not set, DS lets any client connect.

² The settings on a connection handler override the global settings.

Search limit settings
Setting	Scope	Description
max-psearches	Global	The maximum number of concurrent persistent searches. Default: `-1`, meaning no limit
size-limit	Global	The maximum number of entries returned for a single search. Default: `1000` (entries)
time-limit	Global	The maximum number of seconds to process a single search. Default: `0` (seconds), meaning no limit

Task 2: Override account limits

Give an administrator access to update the operational attributes:

$ ldapmodify \
 --hostname localhost \
 --port 1636 \
 --useSsl \
 --usePkcs12TrustStore /path/to/opendj/config/keystore \
 --trustStorePassword:file /path/to/opendj/config/keystore.pin \
 --bindDN uid=admin \
 --bindPassword password << EOF
dn: ou=People,dc=example,dc=com
changetype: modify
add: aci
aci: (targetattr = "ds-rlim-time-limit||ds-rlim-size-limit")
 (version 3.0;acl "Allow Kirsten Vaughan to manage search limits";
 allow (all) (userdn = "ldap:///uid=kvaughan,ou=People,dc=example,dc=com");)
EOF

Override the limits for a single entry:

$ ldapmodify \
 --hostname localhost \
 --port 1636 \
 --useSsl \
 --usePkcs12TrustStore /path/to/opendj/config/keystore \
 --trustStorePassword:file /path/to/opendj/config/keystore.pin \
 --bindDN uid=kvaughan,ou=people,dc=example,dc=com \
 --bindPassword bribery << EOF
dn: uid=bjensen,ou=People,dc=example,dc=com
changetype: modify
add: ds-rlim-size-limit
ds-rlim-size-limit: 10
EOF

When Babs Jensen performs an indexed search returning more than 10 entries, she reads the following message:

$ ldapsearch \
 --hostname localhost \
 --port 1636 \
 --useSsl \
 --usePkcs12TrustStore /path/to/opendj/config/keystore \
 --trustStorePassword:file /path/to/opendj/config/keystore.pin \
 --bindDN uid=bjensen,ou=people,dc=example,dc=com \
 --bindPassword hifalutin \
 --baseDN dc=example,dc=com \
 "(sn=jensen)"

# The LDAP search request failed: 4 (Size Limit Exceeded)
# Additional Information:  This search operation has sent the maximum of 10 entries to the client

Task 2: Override group limits

Give an administrator the privilege to write subentries:
```
$ ldapmodify \
 --hostname localhost \
 --port 1636 \
 --useSsl \
 --usePkcs12TrustStore /path/to/opendj/config/keystore \
 --trustStorePassword:file /path/to/opendj/config/keystore.pin \
 --bindDN uid=admin \
 --bindPassword password << EOF
dn: uid=kvaughan,ou=People,dc=example,dc=com
changetype: modify
add: ds-privilege-name
ds-privilege-name: subentry-write
EOF
```
Notice here that the directory superuser, uid=admin, assigns privileges. Any administrator with the privilege-change privilege can assign privileges. However, if the administrator can update administrator privileges, they can assign themselves the bypass-acl privilege. Then they are no longer bound by access control instructions, including both user data ACIs and global ACIs. For this reason, do not assign the privilege-change privilege to normal administrator users.

Create an LDAP subentry to override the limits with collective attributes:

$ ldapmodify \
 --hostname localhost \
 --port 1636 \
 --useSsl \
 --usePkcs12TrustStore /path/to/opendj/config/keystore \
 --trustStorePassword:file /path/to/opendj/config/keystore.pin \
 --bindDN uid=kvaughan,ou=people,dc=example,dc=com \
 --bindPassword bribery << EOF
dn: cn=Remove Administrator Search Limits,dc=example,dc=com
objectClass: collectiveAttributeSubentry
objectClass: extensibleObject
objectClass: subentry
objectClass: top
cn: Remove Administrator Search Limits
ds-rlim-size-limit;collective: 0
ds-rlim-time-limit;collective: 0
subtreeSpecification: {base "ou=people", specificationFilter
  "(isMemberOf=cn=Directory Administrators,ou=Groups,dc=example,dc=com)" }
EOF

The base entry identifies the branch with administrator entries. For details on how subentries apply, refer to About subentry scope.

Show an administrator account has limits set to 0 (no limit):

$ ldapsearch \
 --hostname localhost \
 --port 1636 \
 --useSsl \
 --usePkcs12TrustStore /path/to/opendj/config/keystore \
 --trustStorePassword:file /path/to/opendj/config/keystore.pin \
 --bindDN uid=kvaughan,ou=people,dc=example,dc=com \
 --bindPassword bribery \
 --baseDN uid=kvaughan,ou=people,dc=example,dc=com \
 --searchScope base \
 "(&)" \
 ds-rlim-time-limit ds-rlim-size-limit

dn: uid=kvaughan,ou=People,dc=example,dc=com
ds-rlim-size-limit: 0
ds-rlim-time-limit: 0

Task 3: Limit persistent searches

An LDAP persistent search maintains an open connection until the client application ends the search. Whenever a modification changes data in the search scope, DS returns a search result. The more concurrent persistent searches, the more work the server has to do for each modification:

Set the global property max-psearches to limit total concurrent persistent searches.

The following command sets a maximum of 30 persistent searches:

$ dsconfig \
 set-global-configuration-prop \
 --hostname localhost \
 --port 4444 \
 --bindDN uid=admin \
 --bindPassword password \
 --set max-psearches:30 \
 --usePkcs12TrustStore /path/to/opendj/config/keystore \
 --trustStorePassword:file /path/to/opendj/config/keystore.pin \
 --no-prompt

Task 4: Limit connections

Limit the total concurrent connections DS accepts.

The following command sets the limit to 64K (the minimum number of file descriptors to make available to DS on a Linux system):

$ dsconfig \
 set-global-configuration-prop \
 --hostname localhost \
 --port 4444 \
 --bindDN uid=admin \
 --bindPassword password \
 --set max-allowed-client-connections:65536 \
 --usePkcs12TrustStore /path/to/opendj/config/keystore \
 --trustStorePassword:file /path/to/opendj/config/keystore.pin \
 --no-prompt

Set an idle timeout of 24 hours:

$ dsconfig \
 set-global-configuration-prop \
 --hostname localhost \
 --port 4444 \
 --bindDN uid=admin \
 --bindPassword password \
 --set idle-time-limit:24h \
 --usePkcs12TrustStore /path/to/opendj/config/keystore \
 --trustStorePassword:file /path/to/opendj/config/keystore.pin \
 --no-prompt

Limit access to clients in the example.com domain:

$ dsconfig \
 set-global-configuration-prop \
 --hostname localhost \
 --port 4444 \
 --bindDN uid=admin \
 --bindPassword password \
 --set allowed-client:example.com \
 --usePkcs12TrustStore /path/to/opendj/config/keystore \
 --trustStorePassword:file /path/to/opendj/config/keystore.pin \
 --no-prompt

Limit clients on the 10.0.0.* network to 1000 concurrent connections each:

$ dsconfig \
 set-global-configuration-prop \
 --hostname localhost \
 --port 4444 \
 --bindDN uid=admin \
 --bindPassword password \
 --set restricted-client:"10.0.0.*" \
 --set restricted-client-connection-limit:1000 \
 --usePkcs12TrustStore /path/to/opendj/config/keystore \
 --trustStorePassword:file /path/to/opendj/config/keystore.pin \
 --no-prompt

Task 5: Permit large requests

The following command increases the limit to 20 MB for the LDAP connection handler. This lets client applications add large static group entries, for example:

$ dsconfig \
 set-connection-handler-prop \
 --hostname localhost \
 --port 4444 \
 --bindDN uid=admin \
 --bindPassword password \
 --handler-name LDAP \
 --set max-request-size:20mb \
 --usePkcs12TrustStore /path/to/opendj/config/keystore \
 --trustStorePassword:file /path/to/opendj/config/keystore.pin \
 --no-prompt

Result codes

When an LDAP application exceeds a limit, DS responds with the appropriate result code:

3: Time Limit Exceeded when the request took too long to process.
4: Size Limit Exceeded when the request returned too many entries.
11: Administrative Limit Exceeded when the request exceeded a limit imposed by one of the other settings.

Refer to any additional information DS returns with the result to determine what action to take.

PingDS 7.5.1