6443N/A ! This work is licensed under the Creative Commons 6443N/A ! Attribution-NonCommercial-NoDerivs 3.0 Unported License. 6443N/A ! To view a copy of this license, visit 6443N/A ! or send a letter to Creative Commons, 444 Castro Street, 6443N/A ! Suite 900, Mountain View, California, 94041, USA. 6443N/A ! You can also obtain a copy of the license at 6443N/A ! See the License for the specific language governing permissions 6443N/A ! and limitations under the License. 6443N/A ! If applicable, add the following below this CCPL HEADER, with the fields 6443N/A ! enclosed by brackets "[]" replaced with your own identifying information: 6443N/A ! Portions Copyright [yyyy] [name of copyright owner] 7070N/A ! Copyright 2011-2014 ForgeRock AS 6443N/A<
chapter xml:
id='chap-resource-limits' 6443N/A <
title>Setting Resource Limits</
title>
6443N/A <
indexterm><
primary>Resource limits</
primary></
indexterm>
6443N/A <
para>This chapter shows you how to set resource limits that prevent
6443N/A directory clients from using an unfair share of system resources.</
para>
6443N/A <
section xml:
id="limit-search-resources">
6443N/A <
title>Limiting Search Resources</
title>
6443N/A <
para>Well-written directory client applications limit the scope of their
6443N/A searches with filters that narrow the number of results returned. By default,
6443N/A OpenDJ also only allows users with appropriate privileges to perform
7255N/A You can further adjust additional limits on search operations,
7255N/A The <
firstterm>lookthrough limit</
firstterm> defines
7255N/A the maximum number of candidate entries OpenDJ considers
7255N/A The default lookthrough limit,
7255N/A set by using the global server property,
7255N/A ><
literal>lookthrough-limit</
literal></
link>,
7255N/A You can override the limit for a particular user
7255N/A by changing the operational attribute,
7255N/A <
literal>ds-rlim-lookthrough-limit</
literal>,
7255N/A The <
firstterm>size limit</
firstterm> sets
7255N/A the maximum number of entries returned for a search.
7255N/A The default size limit, set by using the global server property,
7255N/A ><
literal>size-limit</
literal></
link>,
7255N/A You can override the limit for a particular user
7255N/A by changing the operational attribute,
7255N/A <
literal>ds-rlim-size-limit</
literal>,
7255N/A The <
firstterm>time limit</
firstterm> defines
7255N/A the maximum processing time OpenDJ devotes to a search operation.
7255N/A The default time limit, set by using the global server property,
7255N/A ><
literal>time-limit</
literal></
link>,
7255N/A You can override the limit for a particular user
7255N/A by changing the operational attribute,
7255N/A <
literal>ds-rlim-time-limit</
literal>,
7255N/A Times for <
literal>ds-rlim-time-limit</
literal> are expressed in seconds.
7255N/A The <
firstterm>idle time limit</
firstterm> defines
7255N/A how long OpenDJ allows idle connections to remain open.
7255N/A No default idle time limit is set.
7255N/A You can set an idle time limit by using the global server property,
7255N/A ><
literal>idle-time-limit</
literal></
link>.
7255N/A You can override the limit for a particular user
7255N/A by changing the operational attribute,
7255N/A <
literal>ds-rlim-idle-time-limit</
literal>,
7255N/A Times for <
literal>ds-rlim-idle-time-limit</
literal> are expressed in seconds.
7255N/A The maximum number of persistent searches can be set
7255N/A by using the global server property,
7255N/A ><
literal>max-psearches</
literal></
link>.
6443N/A <
procedure xml:
id="set-search-limits-per-user">
6443N/A <
title>To Set Search Limits For a User</
title>
6443N/A <
para>Change the user entry to set the limits to override.</
para>
7097N/A<
computeroutput>dn: uid=bjensen,ou=People,dc=example,dc=com
7097N/Ads-rlim-size-limit: 10</
computeroutput>
7097N/A --bindDN "cn=Directory Manager" \
7097N/A<
computeroutput>Processing MODIFY request for uid=bjensen,ou=People,dc=example,dc=com
7097N/AMODIFY operation successful for DN uid=bjensen,ou=People,dc=example,dc=com</
computeroutput>
6443N/A <
para>Now when Babs Jensen performs a search returning more than 10
6443N/A entries, she sees the following message.</
para>
7097N/A <
programlisting language="none">
7097N/AResult Code: 4 (Size Limit Exceeded)
6443N/AAdditional Information: This search operation has sent the maximum of
6443N/A <
procedure xml:
id="set-search-limits-per-group">
6443N/A <
title>To Set Search Limits For a Group</
title>
6443N/A <
para>Create an LDAP subentry to specify the limits using collective
7097N/A<
computeroutput>dn: cn=Remove Administrator Search Limits,dc=example,dc=com
6443N/AobjectClass: collectiveAttributeSubentry
6443N/AobjectClass: extensibleObject
6443N/Acn: Remove Administrator Search Limits
6443N/Ads-rlim-lookthrough-limit;collective: 0
6443N/Ads-rlim-size-limit;collective: 0
6443N/Ads-rlim-time-limit;collective: 0
6443N/AsubtreeSpecification: {base "ou=people", specificationFilter "
7097N/A (isMemberOf=cn=Directory Administrators,ou=Groups,dc=example,dc=com)" }</
computeroutput>
7097N/A --bindDN "cn=Directory Manager" \
7097N/A<
computeroutput>Processing ADD request for
6443N/A cn=Remove Administrator Search Limits,dc=example,dc=com
6443N/AADD operation successful for DN
7097N/A cn=Remove Administrator Search Limits,dc=example,dc=com</
computeroutput>
6443N/A <
para>Check the results.</
para>
7097N/A$ <
userinput>ldapsearch --port 1389 --baseDN dc=example,dc=com uid=kvaughan +|grep ds-rlim</
userinput>
7097N/A<
computeroutput>ds-rlim-lookthrough-limit: 0
7097N/Ads-rlim-size-limit: 0</
computeroutput>
6443N/A <
section xml:
id="limit-idle-time">
6443N/A <
title>Limiting Idle Time</
title>
6443N/A <
para>If you have applications that leave connections open for long
6443N/A periods, OpenDJ can end up devoting resources to maintaining connections
6443N/A that are no longer used. If your network does not drop such connections
6443N/A eventually, you can configure OpenDJ to drop them by setting the
6443N/A global configuration property, <
literal>idle-time-limit</
literal>. By
6443N/A default, no idle time limit is set.</
para>
7070N/A If your network load balancer is configured to drop connections
7070N/A that have been idle for some time,
7070N/A make sure you set the OpenDJ idle time limit to a lower value
7070N/A than the idle time limit for the load balancer.
7070N/A This helps to ensure that idle connections are shut down in orderly fashion.
7070N/A Setting the OpenDJ limit lower than the load balancer limit is
7070N/A particularly useful with load balancers that drop idle connections
7070N/A without cleanly closing the connection and notifying the client and server.
6443N/A <
para>OpenDJ does not enforce idle timeout for persistent searches.</
para>
7097N/A set-global-configuration-prop \
7097N/A --bindDN "cn=Directory Manager" \
7097N/A --set idle-time-limit:24h \
6443N/A <
para>The example shown sets the idle time limit to 24 hours.</
para>
6443N/A <
section xml:
id="limit-max-request-size">
6443N/A <
title>Limiting Maximum Request Size</
title>
6443N/A <
para>The default maximum request size of 5 MB, set using the advanced
6443N/A connection handler property <
literal>max-request-size</
literal>, is
6443N/A sufficient to satisfy most client requests. Yet, there are some cases where
6443N/A you might need to raise the request size limit. For example, if clients
6443N/A add groups with large numbers of members, those add requests can go beyond
7097N/A set-connection-handler-prop \
7097N/A --bindDN "cn=Directory Manager" \
7097N/A --handler-name "LDAP Connection Handler" \
7097N/A --set max-request-size:20mb \
6443N/A <
para>The example shown sets the maximum request size on the LDAP connection