0N/A ! This work is licensed under the Creative Commons 0N/A ! Attribution-NonCommercial-NoDerivs 3.0 Unported License. 0N/A ! To view a copy of this license, visit 0N/A ! or send a letter to Creative Commons, 444 Castro Street, 0N/A ! Suite 900, Mountain View, California, 94041, USA. 0N/A ! You can also obtain a copy of the license at 0N/A ! See the License for the specific language governing permissions 0N/A ! and limitations under the License. 0N/A ! If applicable, add the following below this CCPL HEADER, with the fields 0N/A ! enclosed by brackets "[]" replaced with your own identifying information: 0N/A ! Portions Copyright [yyyy] [name of copyright owner] 0N/A ! Copyright 2011-2014 ForgeRock AS 0N/A<
chapter xml:
id='chap-resource-limits' 0N/A <
title>Setting Resource Limits</
title>
0N/A <
indexterm><
primary>Resource limits</
primary></
indexterm>
0N/A <
para>This chapter shows you how to set resource limits that prevent
0N/A directory clients from using an unfair share of system resources.</
para>
0N/A <
section xml:
id="limit-search-resources">
2080N/A <
title>Limiting Search Resources</
title>
0N/A <
para>Well-written directory client applications limit the scope of their
0N/A searches with filters that narrow the number of results returned. By default,
0N/A OpenDJ also only allows users with appropriate privileges to perform
0N/A unindexed searches.</
para>
0N/A <
para>You can further adjust additional limits on search operations, such
0N/A as the following.</
para>
0N/A <
para>The <
firstterm>lookthrough limit</
firstterm> defines the maximum
0N/A number of candidate entries OpenDJ considers when processing a
0N/A <
para>The default lookthrough limit, set by using the global server
0N/A property <
literal>lookthrough-limit</
literal>, is 5000.</
para>
0N/A <
para>You can override the limit for a particular user by changing the
0N/A operational attribute, <
literal>ds-rlim-lookthrough-limit</
literal>, on
0N/A the user's entry.</
para>
0N/A <
para>The <
firstterm>size limit</
firstterm> sets the maximum number of
0N/A entries returned for a search.</
para>
0N/A <
para>The default size limit, set by using the global server property
0N/A <
literal>size-limit</
literal>, is 1000.</
para>
0N/A <
para>You can override the limit for a particular user by changing the
0N/A operational attribute, <
literal>ds-rlim-size-limit</
literal>, on
0N/A the user's entry.</
para>
0N/A <
para>The <
firstterm>time limit</
firstterm> defines the maximum processing
0N/A time OpenDJ devotes to a search operation.</
para>
0N/A <
para>The default time limit, set by using the global server property
0N/A <
literal>time-limit</
literal>, is 1 minute.</
para>
0N/A <
para>You can override the limit for a particular user by changing the
0N/A operational attribute, <
literal>ds-rlim-time-limit</
literal>, on
0N/A the user's entry. Times for <
literal>ds-rlim-time-limit</
literal> are
0N/A expressed in seconds.</
para>
0N/A <
para>The <
firstterm>idle time limit</
firstterm> defines how long OpenDJ
0N/A allows idle connections to remain open.</
para>
2080N/A <
para>No default idle time limit is set. You can set an idle time limit
2080N/A by using the global server property
<
literal>idle-time-limit</
literal>.</
para>
<
para>You can override the limit for a particular user by changing the
operational attribute, <
literal>ds-rlim-idle-time-limit</
literal>, on
the user's entry. Times for <
literal>ds-rlim-idle-time-limit</
literal>
are expressed in seconds.</
para>
<
para>The maximum number of persistent searches can be set using the
global server property <
literal>max-psearches</
literal>.</
para>
<
procedure xml:
id="set-search-limits-per-user">
<
title>To Set Search Limits For a User</
title>
<
para>Change the user entry to set the limits to override.</
para>
dn: uid=bjensen,ou=People,dc=example,dc=com
--bindDN "cn=Directory Manager"
Processing MODIFY request for uid=bjensen,ou=People,dc=example,dc=com
MODIFY operation successful for DN uid=bjensen,ou=People,dc=example,dc=com</
screen>
<
para>Now when Babs Jensen performs a search returning more than 10
entries, she sees the following message.</
para>
<
screen>Result Code: 4 (Size Limit Exceeded)
Additional Information: This search operation has sent the maximum of
10 entries to the client</
screen>
<
procedure xml:
id="set-search-limits-per-group">
<
title>To Set Search Limits For a Group</
title>
<
para>Create an LDAP subentry to specify the limits using collective
dn: cn=Remove Administrator Search Limits,dc=example,dc=com
objectClass: collectiveAttributeSubentry
objectClass: extensibleObject
cn: Remove Administrator Search Limits
ds-rlim-lookthrough-limit;collective: 0
ds-rlim-size-limit;collective: 0
ds-rlim-time-limit;collective: 0
subtreeSpecification: {base "ou=people", specificationFilter "
(isMemberOf=cn=Directory Administrators,ou=Groups,dc=example,dc=com)" }
--bindDN "cn=Directory Manager"
Processing ADD request for
cn=Remove Administrator Search Limits,dc=example,dc=com
ADD operation successful for DN
cn=Remove Administrator Search Limits,dc=example,dc=com</
screen>
<
para>Check the results.</
para>
<
screen>$ ldapsearch --port 1389 --baseDN dc=example,dc=com uid=kvaughan +|grep ds-rlim
ds-rlim-lookthrough-limit: 0
ds-rlim-size-limit: 0</
screen>
<
section xml:
id="limit-idle-time">
<
title>Limiting Idle Time</
title>
<
para>If you have applications that leave connections open for long
periods, OpenDJ can end up devoting resources to maintaining connections
that are no longer used. If your network does not drop such connections
eventually, you can configure OpenDJ to drop them by setting the
global configuration property, <
literal>idle-time-limit</
literal>. By
default, no idle time limit is set.</
para>
If your network load balancer is configured to drop connections
that have been idle for some time,
make sure you set the OpenDJ idle time limit to a lower value
than the idle time limit for the load balancer.
This helps to ensure that idle connections are shut down in orderly fashion.
Setting the OpenDJ limit lower than the load balancer limit is
particularly useful with load balancers that drop idle connections
without cleanly closing the connection and notifying the client and server.
<
para>OpenDJ does not enforce idle timeout for persistent searches.</
para>
set-global-configuration-prop
--bindDN "cn=Directory Manager"
--set idle-time-limit:24h
<
para>The example shown sets the idle time limit to 24 hours.</
para>
<
section xml:
id="limit-max-request-size">
<
title>Limiting Maximum Request Size</
title>
<
para>The default maximum request size of 5 MB, set using the advanced
connection handler property <
literal>max-request-size</
literal>, is
sufficient to satisfy most client requests. Yet, there are some cases where
you might need to raise the request size limit. For example, if clients
add groups with large numbers of members, those add requests can go beyond
set-connection-handler-prop
--bindDN "cn=Directory Manager"
--handler-name "LDAP Connection Handler"
--set max-request-size:20mb
<
para>The example shown sets the maximum request size on the LDAP connection