Resource Limits
Search Limits
You can set limits on search operations:
The lookthrough limit defines the maximum number of candidate entries that the DS server considers when processing a search.
The default lookthrough limit of 5000 is set by the global server property
lookthrough-limit
.You can override the limit per user with the operational attribute,
ds-rlim-lookthrough-limit
.The size limit sets the maximum number of entries returned for a search.
The default size limit of 1000 is set by the global server property
size-limit
.You can override the limit per user with the operational attribute,
ds-rlim-size-limit
.Search requests can include a size limit setting. The ldapsearch command has a
--sizeLimit
option.The time limit defines the maximum processing time for a search operation.
The default time limit of 1 minute is set by the global server property
time-limit
.You can override the limit on a per user basis with the operational attribute,
ds-rlim-time-limit
. Times fords-rlim-time-limit
are expressed in seconds.In addition, search requests themselves can include a time limit setting. The ldapsearch command has an
--timeLimit
option.The idle time limit defines how long an idle connection remains open.
No default idle time limit is set. You can set an idle time limit by using the global server property
idle-time-limit
.You can override the limit on a per user basis with the operational attribute,
ds-rlim-idle-time-limit
. Times fords-rlim-idle-time-limit
are expressed in seconds.The maximum number of persistent searches is set by the global server property
max-psearches
.
Give an administrator access to update the operational attributes related to search limits:
$
ldapmodify \ --hostname localhost \ --port 1636 \ --useSsl \ --usePkcs12TrustStore /path/to/opendj/config/keystore \ --trustStorePasswordFile /path/to/opendj/config/keystore.pin \ --bindDN uid=admin \ --bindPassword password << EOF dn: ou=People,dc=example,dc=com changetype: modify add: aci aci: (targetattr = "ds-rlim-lookthrough-limit||ds-rlim-time-limit||ds-rlim-size-limit") (version 3.0;acl "Allow Kirsten Vaughan to manage search limits"; allow (all) (userdn = "ldap:///uid=kvaughan,ou=People,dc=example,dc=com");) EOF
Change the user entry to set the limits to override:
$
ldapmodify \ --hostname localhost \ --port 1636 \ --useSsl \ --usePkcs12TrustStore /path/to/opendj/config/keystore \ --trustStorePasswordFile /path/to/opendj/config/keystore.pin \ --bindDN uid=kvaughan,ou=people,dc=example,dc=com \ --bindPassword bribery << EOF dn: uid=bjensen,ou=People,dc=example,dc=com changetype: modify add: ds-rlim-size-limit ds-rlim-size-limit: 10 EOF
When Babs Jensen performs an indexed search returning more than 10 entries, she sees the following message:
$
ldapsearch \ --hostname localhost \ --port 1636 \ --useSsl \ --usePkcs12TrustStore /path/to/opendj/config/keystore \ --trustStorePasswordFile /path/to/opendj/config/keystore.pin \ --bindDN uid=bjensen,ou=people,dc=example,dc=com \ --bindPassword hifalutin \ --baseDN dc=example,dc=com \ "(sn=jensen)"
# The LDAP search request failed: 4 (Size Limit Exceeded) # Additional Information: This search operation has sent the maximum of 10 entries to the client
Give an administrator the privilege to write subentries:
$
ldapmodify \ --hostname localhost \ --port 1636 \ --useSsl \ --usePkcs12TrustStore /path/to/opendj/config/keystore \ --trustStorePasswordFile /path/to/opendj/config/keystore.pin \ --bindDN uid=admin \ --bindPassword password << EOF dn: uid=kvaughan,ou=People,dc=example,dc=com changetype: modify add: ds-privilege-name ds-privilege-name: subentry-write EOF
Notice here that the directory superuser,
uid=admin
, assigns privileges. Any administrator with theprivilege-change
privilege can assign privileges. However, if the administrator can update administrator privileges, they can assign themselves thebypass-acl
privilege. Then they are no longer bound by access control instructions, including both user data ACIs and global ACIs. For this reason, do not assign theprivilege-change
privilege to normal administrator users.Create an LDAP subentry to specify the limits using collective attributes:
$
ldapmodify \ --hostname localhost \ --port 1636 \ --useSsl \ --usePkcs12TrustStore /path/to/opendj/config/keystore \ --trustStorePasswordFile /path/to/opendj/config/keystore.pin \ --bindDN uid=kvaughan,ou=people,dc=example,dc=com \ --bindPassword bribery << EOF dn: cn=Remove Administrator Search Limits,dc=example,dc=com objectClass: collectiveAttributeSubentry objectClass: extensibleObject objectClass: subentry objectClass: top cn: Remove Administrator Search Limits ds-rlim-lookthrough-limit;collective: 0 ds-rlim-size-limit;collective: 0 ds-rlim-time-limit;collective: 0 subtreeSpecification: {base "ou=people", specificationFilter "(isMemberOf=cn=Directory Administrators,ou=Groups,dc=example,dc=com)" } EOF
The
base
entry identifies the branch that holds administrator entries. For details on how subentries apply, see "About Subentry Scope".Check the results:
$
ldapsearch \ --hostname localhost \ --port 1636 \ --useSsl \ --usePkcs12TrustStore /path/to/opendj/config/keystore \ --trustStorePasswordFile /path/to/opendj/config/keystore.pin \ --bindDN uid=kvaughan,ou=people,dc=example,dc=com \ --bindPassword bribery \ --baseDN uid=kvaughan,ou=people,dc=example,dc=com \ --searchScope base \ "(&)" \ ds-rlim-lookthrough-limit ds-rlim-time-limit ds-rlim-size-limit
dn: uid=kvaughan,ou=People,dc=example,dc=com ds-rlim-lookthrough-limit: 0 ds-rlim-size-limit: 0 ds-rlim-time-limit: 0
An LDAP persistent search maintains an open a connection that may be be idle for long periods of time. Whenever a modification changes data in the search scope, the server returns a search result. The more concurrent persistent searches, the more work the server has to do for each modification:
Set the global property
max-psearches
to limit total concurrent persistent searches.The following example limits the maximum number of persistent searchees to 30:
$
dsconfig \ set-global-configuration-prop \ --hostname localhost \ --port 4444 \ --bindDN uid=admin \ --bindPassword password \ --set max-psearches:30 \ --usePkcs12TrustStore /path/to/opendj/config/keystore \ --trustStorePasswordFile /path/to/opendj/config/keystore.pin \ --no-prompt
Connection Limits
Limit Total Connections
Each connection uses memory. On UNIX and Linux systems, each connection uses an available file descriptor.
To limit the total number of concurrent client connections that the server accepts, use the global setting max-allowed-client-connections
. The following example sets the limit to 64K. 64K is the minimum number of file descriptors that should be available to the DS server:
$ dsconfig \
set-global-configuration-prop \
--hostname localhost \
--port 4444 \
--bindDN uid=admin \
--bindPassword password \
--set max-allowed-client-connections:65536 \
--usePkcs12TrustStore /path/to/opendj/config/keystore \
--trustStorePasswordFile /path/to/opendj/config/keystore.pin \
--no-prompt
Restrict Who Can Connect
To restrict which clients can connect to the server, use the global setting allowed-client
, or denied-client
. The following example restricts access to clients from the example.com
domain:
$ dsconfig \
set-global-configuration-prop \
--hostname localhost \
--port 4444 \
--bindDN uid=admin \
--bindPassword password \
--set allowed-client:example.com \
--usePkcs12TrustStore /path/to/opendj/config/keystore \
--trustStorePasswordFile /path/to/opendj/config/keystore.pin \
--no-prompt
Set these properties per "Connection Handler"
. The settings on a connection handler override the global settings.
Limit Connections Per Client
To limit the number of concurrent connections from a client, use the global settings restricted-client
, and restricted-client-connection-limit
. The following example sets the limit for all clients on the 10.0.0.*
network to 1000 concurrent connections:
$ dsconfig \
set-global-configuration-prop \
--hostname localhost \
--port 4444 \
--bindDN uid=admin \
--bindPassword password \
--set restricted-client:"10.0.0.*" \
--set restricted-client-connection-limit:1000 \
--usePkcs12TrustStore /path/to/opendj/config/keystore \
--trustStorePasswordFile /path/to/opendj/config/keystore.pin \
--no-prompt
Set these properties per "Connection Handler"
. The settings on a connection handler override the global settings.
The server applies the properties in this order:
If the
denied-client
property is set, the server denies connections from any client matching the settings.If the
restricted-client
property is set, the server checks the number of connections from any client matching the settings.If a matching client exceeds
restricted-client-connection-limit
connections, the server refuses additional connections.If the
allowed-client
property is set, the server allows connections from any client matching the settings.If none of the properties are set, the server allows connections from any client.
Idle Time Limits
If client applications leave connections idle for long periods, you can drop their connections by setting the global configuration property idle-time-limit. By default, no idle time limit is set.
If your network is configured to drop connections that have been idle for some time, set the DS idle time limit to a lower value than the idle time limit for the network. This helps to ensure that idle connections are shut down in orderly fashion. Setting the DS limit lower than the network limit is particularly useful with networks that drop idle connections without cleanly closing the connection and notifying the client and server.
Note
DS servers do not enforce idle timeout for persistent searches.
The following example sets the idle-time-limit to 24 hours:
$ dsconfig \
set-global-configuration-prop \
--hostname localhost \
--port 4444 \
--bindDN uid=admin \
--bindPassword password \
--set idle-time-limit:24h \
--usePkcs12TrustStore /path/to/opendj/config/keystore \
--trustStorePasswordFile /path/to/opendj/config/keystore.pin \
--no-prompt
Request Size Limits
The default maximum request size is 5 MB. This is sufficient for most deployments. In cases where clients add groups with large numbers of members, requests can exceed the 5 MB limit.
The following example increases the limit to 20 MB for the LDAP connection handler:
$ dsconfig \
set-connection-handler-prop \
--hostname localhost \
--port 4444 \
--bindDN uid=admin \
--bindPassword password \
--handler-name LDAP \
--set max-request-size:20mb \
--usePkcs12TrustStore /path/to/opendj/config/keystore \
--trustStorePasswordFile /path/to/opendj/config/keystore.pin \
--no-prompt
This setting affects only the size of requests, not responses.
Limits and Proxied Authorization
Proxied authorization lets an application bind as one user and carry out LDAP operations on behalf of other users.
Resource limits do not change when the user proxies as another user. In other words, resource limits depend on the bind DN, not the proxy authorization identity.