0N/A<chapter xml:id='chap-resource-limits'

0N/A xmlns='http://docbook.org/ns/docbook' version='5.0' xml:lang='en'

0N/A xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'

0N/A xsi:schemaLocation='http://docbook.org/ns/docbook

0N/A http://docbook.org/xml/5.0/xsd/docbook.xsd'>

0N/A <title>Setting Resource Limits</title>

0N/A <indexterm><primary>Resource limits</primary></indexterm>

2080N/A

0N/A <para>This chapter shows you how to set resource limits that prevent

0N/A directory clients from using an unfair share of system resources.</para>

0N/A

0N/A <section xml:id="limit-search-resources">

2080N/A <title>Limiting Search Resources</title>

0N/A

0N/A <para>Well-written directory client applications limit the scope of their

0N/A searches with filters that narrow the number of results returned. By default,

0N/A OpenDJ also only allows users with appropriate privileges to perform

0N/A unindexed searches.</para>

803N/A

0N/A <para>You can further adjust additional limits on search operations, such

0N/A as the following.</para>

0N/A <itemizedlist>

0N/A <listitem>

0N/A <para>The <firstterm>lookthrough limit</firstterm> defines the maximum

0N/A number of candidate entries OpenDJ considers when processing a

0N/A search.</para>

0N/A <para>The default lookthrough limit, set by using the global server

0N/A property <literal>lookthrough-limit</literal>, is 5000.</para>

0N/A <para>You can override the limit for a particular user by changing the

0N/A operational attribute, <literal>ds-rlim-lookthrough-limit</literal>, on

0N/A the user's entry.</para>

0N/A </listitem>

0N/A <listitem>

0N/A <para>The <firstterm>size limit</firstterm> sets the maximum number of

0N/A entries returned for a search.</para>

0N/A <para>The default size limit, set by using the global server property

0N/A <literal>size-limit</literal>, is 1000.</para>

0N/A <para>You can override the limit for a particular user by changing the

0N/A operational attribute, <literal>ds-rlim-size-limit</literal>, on

0N/A the user's entry.</para>

0N/A </listitem>

0N/A <listitem>

0N/A <para>The <firstterm>time limit</firstterm> defines the maximum processing

0N/A time OpenDJ devotes to a search operation.</para>

0N/A <para>The default time limit, set by using the global server property

0N/A <literal>time-limit</literal>, is 1 minute.</para>

0N/A <para>You can override the limit for a particular user by changing the

0N/A operational attribute, <literal>ds-rlim-time-limit</literal>, on

0N/A the user's entry. Times for <literal>ds-rlim-time-limit</literal> are

0N/A expressed in seconds.</para>

0N/A </listitem>

0N/A <listitem>

0N/A <para>The <firstterm>idle time limit</firstterm> defines how long OpenDJ

0N/A allows idle connections to remain open.</para>

2080N/A <para>No default idle time limit is set. You can set an idle time limit

2080N/A by using the global server property

<literal>idle-time-limit</literal>.</para>

<para>You can override the limit for a particular user by changing the

operational attribute, <literal>ds-rlim-idle-time-limit</literal>, on

the user's entry. Times for <literal>ds-rlim-idle-time-limit</literal>

are expressed in seconds.</para>

</listitem>

<listitem>

<para>The maximum number of persistent searches can be set using the

global server property <literal>max-psearches</literal>.</para>

</listitem>

</itemizedlist>

<procedure xml:id="set-search-limits-per-user">

<title>To Set Search Limits For a User</title>

<step>

<para>Change the user entry to set the limits to override.</para>

<screen>$ cat limit.ldif

dn: uid=bjensen,ou=People,dc=example,dc=com

changetype: modify

add: ds-rlim-size-limit

ds-rlim-size-limit: 10

$ ldapmodify

--port 1389

--bindDN "cn=Directory Manager"

--bindPassword password

--filename limit.ldif

Processing MODIFY request for uid=bjensen,ou=People,dc=example,dc=com

MODIFY operation successful for DN uid=bjensen,ou=People,dc=example,dc=com</screen>

<para>Now when Babs Jensen performs a search returning more than 10

entries, she sees the following message.</para>

<screen>Result Code: 4 (Size Limit Exceeded)

Additional Information: This search operation has sent the maximum of

10 entries to the client</screen>

</step>

</procedure>

<procedure xml:id="set-search-limits-per-group">

<title>To Set Search Limits For a Group</title>

<step>

<para>Create an LDAP subentry to specify the limits using collective

attributes.</para>

<screen>$ cat grouplim.ldif

dn: cn=Remove Administrator Search Limits,dc=example,dc=com

objectClass: collectiveAttributeSubentry

objectClass: extensibleObject

objectClass: subentry

objectClass: top

cn: Remove Administrator Search Limits

ds-rlim-lookthrough-limit;collective: 0

ds-rlim-size-limit;collective: 0

ds-rlim-time-limit;collective: 0

subtreeSpecification: {base "ou=people", specificationFilter "

(isMemberOf=cn=Directory Administrators,ou=Groups,dc=example,dc=com)" }

$ ldapmodify

--port 1389

--bindDN "cn=Directory Manager"

--bindPassword password

--defaultAdd

--filename grouplim.ldif

Processing ADD request for

cn=Remove Administrator Search Limits,dc=example,dc=com

ADD operation successful for DN

cn=Remove Administrator Search Limits,dc=example,dc=com</screen>

</step>

<step>

<para>Check the results.</para>

<screen>$ ldapsearch --port 1389 --baseDN dc=example,dc=com uid=kvaughan +|grep ds-rlim

ds-rlim-lookthrough-limit: 0

ds-rlim-time-limit: 0

ds-rlim-size-limit: 0</screen>

</step>

</procedure>

</section>

<section xml:id="limit-idle-time">

<title>Limiting Idle Time</title>

<para>If you have applications that leave connections open for long

periods, OpenDJ can end up devoting resources to maintaining connections

that are no longer used. If your network does not drop such connections

eventually, you can configure OpenDJ to drop them by setting the

global configuration property, <literal>idle-time-limit</literal>. By

default, no idle time limit is set.</para>

<para>

If your network load balancer is configured to drop connections

that have been idle for some time,

make sure you set the OpenDJ idle time limit to a lower value

than the idle time limit for the load balancer.

This helps to ensure that idle connections are shut down in orderly fashion.

Setting the OpenDJ limit lower than the load balancer limit is

particularly useful with load balancers that drop idle connections

without cleanly closing the connection and notifying the client and server.

</para>

<note>

<para>OpenDJ does not enforce idle timeout for persistent searches.</para>

</note>

<screen>$ dsconfig

set-global-configuration-prop

--port 4444

--hostname opendj.example.com

--bindDN "cn=Directory Manager"

--bindPassword password

--set idle-time-limit:24h

--trustAll

--no-prompt</screen>

<para>The example shown sets the idle time limit to 24 hours.</para>

</section>

<section xml:id="limit-max-request-size">

<title>Limiting Maximum Request Size</title>

<para>The default maximum request size of 5 MB, set using the advanced

connection handler property <literal>max-request-size</literal>, is

sufficient to satisfy most client requests. Yet, there are some cases where

you might need to raise the request size limit. For example, if clients

add groups with large numbers of members, those add requests can go beyond

the 5 MB limit.</para>

<screen>$ dsconfig

set-connection-handler-prop

--port 4444

--hostname opendj.example.com

--bindDN "cn=Directory Manager"

--bindPassword password

--handler-name "LDAP Connection Handler"

--set max-request-size:20mb

--trustAll

--no-prompt</screen>

<para>The example shown sets the maximum request size on the LDAP connection

handler to 20 MB.</para>

</section>

</chapter>