51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark ! CCPL HEADER START
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark ! This work is licensed under the Creative Commons
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark ! Attribution-NonCommercial-NoDerivs 3.0 Unported License.
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark ! To view a copy of this license, visit
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark ! or send a letter to Creative Commons, 444 Castro Street,
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark ! Suite 900, Mountain View, California, 94041, USA.
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark ! You can also obtain a copy of the license at
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark ! See the License for the specific language governing permissions
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark ! and limitations under the License.
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark ! If applicable, add the following below this CCPL HEADER, with the fields
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark ! enclosed by brackets "[]" replaced with your own identifying information:
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark ! Portions Copyright [yyyy] [name of copyright owner]
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark ! CCPL HEADER END
22c1778df9de923d7e15cf21eaa86da81e32812bmark ! Copyright 2011-2014 ForgeRock AS
ec40cc0dc62425cea5d63fd9d984f8614479de25mark xmlns='http://docbook.org/ns/docbook' version='5.0' xml:lang='en'
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <indexterm><primary>Resource limits</primary></indexterm>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>This chapter shows you how to set resource limits that prevent
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark directory clients from using an unfair share of system resources.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Well-written directory client applications limit the scope of their
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark searches with filters that narrow the number of results returned. By default,
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark OpenDJ also only allows users with appropriate privileges to perform
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark unindexed searches.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <itemizedlist>
ec40cc0dc62425cea5d63fd9d984f8614479de25mark You can further adjust additional limits on search operations,
ec40cc0dc62425cea5d63fd9d984f8614479de25mark such as the following.
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem>
ec40cc0dc62425cea5d63fd9d984f8614479de25mark the maximum number of candidate entries OpenDJ considers
ec40cc0dc62425cea5d63fd9d984f8614479de25mark when processing a search.
ec40cc0dc62425cea5d63fd9d984f8614479de25mark The default lookthrough limit,
ec40cc0dc62425cea5d63fd9d984f8614479de25mark set by using the global server property,
ec40cc0dc62425cea5d63fd9d984f8614479de25mark xlink:href="${configRefBase}global.html#lookthrough-limit"
ec40cc0dc62425cea5d63fd9d984f8614479de25mark You can override the limit for a particular user
ec40cc0dc62425cea5d63fd9d984f8614479de25mark by changing the operational attribute,
ec40cc0dc62425cea5d63fd9d984f8614479de25mark on the user's entry.
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem>
ec40cc0dc62425cea5d63fd9d984f8614479de25mark the maximum number of entries returned for a search.
ec40cc0dc62425cea5d63fd9d984f8614479de25mark The default size limit, set by using the global server property,
ec40cc0dc62425cea5d63fd9d984f8614479de25mark You can override the limit for a particular user
ec40cc0dc62425cea5d63fd9d984f8614479de25mark by changing the operational attribute,
ec40cc0dc62425cea5d63fd9d984f8614479de25mark on the user's entry.
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem>
ec40cc0dc62425cea5d63fd9d984f8614479de25mark the maximum processing time OpenDJ devotes to a search operation.
ec40cc0dc62425cea5d63fd9d984f8614479de25mark The default time limit, set by using the global server property,
ec40cc0dc62425cea5d63fd9d984f8614479de25mark is 1 minute.
ec40cc0dc62425cea5d63fd9d984f8614479de25mark You can override the limit for a particular user
ec40cc0dc62425cea5d63fd9d984f8614479de25mark by changing the operational attribute,
ec40cc0dc62425cea5d63fd9d984f8614479de25mark on the user's entry.
ec40cc0dc62425cea5d63fd9d984f8614479de25mark Times for <literal>ds-rlim-time-limit</literal> are expressed in seconds.
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem>
ec40cc0dc62425cea5d63fd9d984f8614479de25mark how long OpenDJ allows idle connections to remain open.
ec40cc0dc62425cea5d63fd9d984f8614479de25mark No default idle time limit is set.
ec40cc0dc62425cea5d63fd9d984f8614479de25mark You can set an idle time limit by using the global server property,
ec40cc0dc62425cea5d63fd9d984f8614479de25mark xlink:href="${configRefBase}global.html#idle-time-limit"
ec40cc0dc62425cea5d63fd9d984f8614479de25mark You can override the limit for a particular user
ec40cc0dc62425cea5d63fd9d984f8614479de25mark by changing the operational attribute,
ec40cc0dc62425cea5d63fd9d984f8614479de25mark on the user's entry.
ec40cc0dc62425cea5d63fd9d984f8614479de25mark Times for <literal>ds-rlim-idle-time-limit</literal> are expressed in seconds.
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem>
ec40cc0dc62425cea5d63fd9d984f8614479de25mark The maximum number of persistent searches can be set
ec40cc0dc62425cea5d63fd9d984f8614479de25mark by using the global server property,
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </itemizedlist>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Change the user entry to set the limits to override.</para>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark<computeroutput>dn: uid=bjensen,ou=People,dc=example,dc=com
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkchangetype: modify
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkadd: ds-rlim-size-limit
08248b5c5b494aff8d1922e8e0b5777796d7450dmarkds-rlim-size-limit: 10</computeroutput>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark$ <userinput>ldapmodify \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --port 1389 \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindDN "cn=Directory Manager" \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindPassword password \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark<computeroutput>Processing MODIFY request for uid=bjensen,ou=People,dc=example,dc=com
08248b5c5b494aff8d1922e8e0b5777796d7450dmarkMODIFY operation successful for DN uid=bjensen,ou=People,dc=example,dc=com</computeroutput>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Now when Babs Jensen performs a search returning more than 10
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark entries, she sees the following message.</para>
08248b5c5b494aff8d1922e8e0b5777796d7450dmarkResult Code: 4 (Size Limit Exceeded)
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkAdditional Information: This search operation has sent the maximum of
08248b5c5b494aff8d1922e8e0b5777796d7450dmark 10 entries to the client
08248b5c5b494aff8d1922e8e0b5777796d7450dmark </programlisting>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </procedure>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Create an LDAP subentry to specify the limits using collective
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark attributes.</para>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark<computeroutput>dn: cn=Remove Administrator Search Limits,dc=example,dc=com
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkobjectClass: collectiveAttributeSubentry
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkobjectClass: extensibleObject
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkobjectClass: subentry
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkobjectClass: top
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkcn: Remove Administrator Search Limits
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkds-rlim-lookthrough-limit;collective: 0
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkds-rlim-size-limit;collective: 0
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkds-rlim-time-limit;collective: 0
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarksubtreeSpecification: {base "ou=people", specificationFilter "
08248b5c5b494aff8d1922e8e0b5777796d7450dmark (isMemberOf=cn=Directory Administrators,ou=Groups,dc=example,dc=com)" }</computeroutput>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark$ <userinput>ldapmodify \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --port 1389 \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindDN "cn=Directory Manager" \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindPassword password \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --defaultAdd \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark<computeroutput>Processing ADD request for
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark cn=Remove Administrator Search Limits,dc=example,dc=com
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkADD operation successful for DN
08248b5c5b494aff8d1922e8e0b5777796d7450dmark cn=Remove Administrator Search Limits,dc=example,dc=com</computeroutput>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark$ <userinput>ldapsearch --port 1389 --baseDN dc=example,dc=com uid=kvaughan +|grep ds-rlim</userinput>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark<computeroutput>ds-rlim-lookthrough-limit: 0
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkds-rlim-time-limit: 0
08248b5c5b494aff8d1922e8e0b5777796d7450dmarkds-rlim-size-limit: 0</computeroutput>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </procedure>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </section>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>If you have applications that leave connections open for long
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark periods, OpenDJ can end up devoting resources to maintaining connections
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark that are no longer used. If your network does not drop such connections
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark eventually, you can configure OpenDJ to drop them by setting the
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark global configuration property, <literal>idle-time-limit</literal>. By
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark default, no idle time limit is set.</para>
22c1778df9de923d7e15cf21eaa86da81e32812bmark If your network load balancer is configured to drop connections
22c1778df9de923d7e15cf21eaa86da81e32812bmark that have been idle for some time,
22c1778df9de923d7e15cf21eaa86da81e32812bmark make sure you set the OpenDJ idle time limit to a lower value
22c1778df9de923d7e15cf21eaa86da81e32812bmark than the idle time limit for the load balancer.
22c1778df9de923d7e15cf21eaa86da81e32812bmark This helps to ensure that idle connections are shut down in orderly fashion.
22c1778df9de923d7e15cf21eaa86da81e32812bmark Setting the OpenDJ limit lower than the load balancer limit is
22c1778df9de923d7e15cf21eaa86da81e32812bmark particularly useful with load balancers that drop idle connections
22c1778df9de923d7e15cf21eaa86da81e32812bmark without cleanly closing the connection and notifying the client and server.
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>OpenDJ does not enforce idle timeout for persistent searches.</para>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark$ <userinput>dsconfig \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark set-global-configuration-prop \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --port 4444 \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindDN "cn=Directory Manager" \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindPassword password \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --set idle-time-limit:24h \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --trustAll \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --no-prompt</userinput>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>The example shown sets the idle time limit to 24 hours.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </section>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>The default maximum request size of 5 MB, set using the advanced
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark connection handler property <literal>max-request-size</literal>, is
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark sufficient to satisfy most client requests. Yet, there are some cases where
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark you might need to raise the request size limit. For example, if clients
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark add groups with large numbers of members, those add requests can go beyond
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark the 5 MB limit.</para>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark$ <userinput>dsconfig \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark set-connection-handler-prop \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --port 4444 \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindDN "cn=Directory Manager" \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindPassword password \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --handler-name "LDAP Connection Handler" \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --set max-request-size:20mb \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --trustAll \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --no-prompt</userinput>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>The example shown sets the maximum request size on the LDAP connection
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark handler to 20 MB.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </section>