docbkx/admin-guide/chap-resource-limits.xml

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark<!--
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  ! CCPL HEADER START
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  !
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  ! This work is licensed under the Creative Commons
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  ! Attribution-NonCommercial-NoDerivs 3.0 Unported License.
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  ! To view a copy of this license, visit
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  ! http://creativecommons.org/licenses/by-nc-nd/3.0/
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  ! or send a letter to Creative Commons, 444 Castro Street,
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  ! Suite 900, Mountain View, California, 94041, USA.
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  !
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  ! You can also obtain a copy of the license at
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  ! trunk/opendj3/legal-notices/CC-BY-NC-ND.txt.
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  ! See the License for the specific language governing permissions
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  ! and limitations under the License.
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  !
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  ! If applicable, add the following below this CCPL HEADER, with the fields
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  ! enclosed by brackets "[]" replaced with your own identifying information:
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  !      Portions Copyright [yyyy] [name of copyright owner]
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  !
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  ! CCPL HEADER END
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  !
22c1778df9de923d7e15cf21eaa86da81e32812bmark  !      Copyright 2011-2014 ForgeRock AS
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  !
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark-->
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark<chapter xml:id='chap-resource-limits'
ec40cc0dc62425cea5d63fd9d984f8614479de25mark         xmlns='http://docbook.org/ns/docbook' version='5.0' xml:lang='en'
ec40cc0dc62425cea5d63fd9d984f8614479de25mark         xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
ec40cc0dc62425cea5d63fd9d984f8614479de25mark         xsi:schemaLocation='http://docbook.org/ns/docbook
ec40cc0dc62425cea5d63fd9d984f8614479de25mark                             http://docbook.org/xml/5.0/xsd/docbook.xsd'
ec40cc0dc62425cea5d63fd9d984f8614479de25mark         xmlns:xlink='http://www.w3.org/1999/xlink'>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <title>Setting Resource Limits</title>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <indexterm><primary>Resource limits</primary></indexterm>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>This chapter shows you how to set resource limits that prevent
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark directory clients from using an unfair share of system resources.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <section xml:id="limit-search-resources">
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  <title>Limiting Search Resources</title>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  <para>Well-written directory client applications limit the scope of their
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  searches with filters that narrow the number of results returned. By default,
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  OpenDJ also only allows users with appropriate privileges to perform
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  unindexed searches.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  <itemizedlist>
ec40cc0dc62425cea5d63fd9d984f8614479de25mark   <para>
ec40cc0dc62425cea5d63fd9d984f8614479de25mark    You can further adjust additional limits on search operations,
ec40cc0dc62425cea5d63fd9d984f8614479de25mark    such as the following.
ec40cc0dc62425cea5d63fd9d984f8614479de25mark   </para>
ec40cc0dc62425cea5d63fd9d984f8614479de25mark
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   <listitem>
ec40cc0dc62425cea5d63fd9d984f8614479de25mark    <para>
ec40cc0dc62425cea5d63fd9d984f8614479de25mark     The <firstterm>lookthrough limit</firstterm> defines
ec40cc0dc62425cea5d63fd9d984f8614479de25mark     the maximum number of candidate entries OpenDJ considers
ec40cc0dc62425cea5d63fd9d984f8614479de25mark     when processing a search.
ec40cc0dc62425cea5d63fd9d984f8614479de25mark    </para>
ec40cc0dc62425cea5d63fd9d984f8614479de25mark
ec40cc0dc62425cea5d63fd9d984f8614479de25mark    <para>
ec40cc0dc62425cea5d63fd9d984f8614479de25mark     The default lookthrough limit,
ec40cc0dc62425cea5d63fd9d984f8614479de25mark     set by using the global server property,
ec40cc0dc62425cea5d63fd9d984f8614479de25mark     <link
ec40cc0dc62425cea5d63fd9d984f8614479de25mark      xlink:show="new"
ec40cc0dc62425cea5d63fd9d984f8614479de25mark      xlink:href="${configRefBase}global.html#lookthrough-limit"
ec40cc0dc62425cea5d63fd9d984f8614479de25mark     ><literal>lookthrough-limit</literal></link>,
ec40cc0dc62425cea5d63fd9d984f8614479de25mark     is 5000.
ec40cc0dc62425cea5d63fd9d984f8614479de25mark    </para>
ec40cc0dc62425cea5d63fd9d984f8614479de25mark
ec40cc0dc62425cea5d63fd9d984f8614479de25mark    <para>
ec40cc0dc62425cea5d63fd9d984f8614479de25mark     You can override the limit for a particular user
ec40cc0dc62425cea5d63fd9d984f8614479de25mark     by changing the operational attribute,
ec40cc0dc62425cea5d63fd9d984f8614479de25mark     <literal>ds-rlim-lookthrough-limit</literal>,
ec40cc0dc62425cea5d63fd9d984f8614479de25mark     on the user's entry.
ec40cc0dc62425cea5d63fd9d984f8614479de25mark    </para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   </listitem>
ec40cc0dc62425cea5d63fd9d984f8614479de25mark
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   <listitem>
ec40cc0dc62425cea5d63fd9d984f8614479de25mark    <para>
ec40cc0dc62425cea5d63fd9d984f8614479de25mark     The <firstterm>size limit</firstterm> sets
ec40cc0dc62425cea5d63fd9d984f8614479de25mark     the maximum number of entries returned for a search.
ec40cc0dc62425cea5d63fd9d984f8614479de25mark    </para>
ec40cc0dc62425cea5d63fd9d984f8614479de25mark
ec40cc0dc62425cea5d63fd9d984f8614479de25mark    <para>
ec40cc0dc62425cea5d63fd9d984f8614479de25mark     The default size limit, set by using the global server property,
ec40cc0dc62425cea5d63fd9d984f8614479de25mark     <link
ec40cc0dc62425cea5d63fd9d984f8614479de25mark      xlink:show="new"
ec40cc0dc62425cea5d63fd9d984f8614479de25mark      xlink:href="${configRefBase}global.html#size-limit"
ec40cc0dc62425cea5d63fd9d984f8614479de25mark     ><literal>size-limit</literal></link>,
ec40cc0dc62425cea5d63fd9d984f8614479de25mark     is 1000.
ec40cc0dc62425cea5d63fd9d984f8614479de25mark    </para>
ec40cc0dc62425cea5d63fd9d984f8614479de25mark
ec40cc0dc62425cea5d63fd9d984f8614479de25mark    <para>
ec40cc0dc62425cea5d63fd9d984f8614479de25mark     You can override the limit for a particular user
ec40cc0dc62425cea5d63fd9d984f8614479de25mark     by changing the operational attribute,
ec40cc0dc62425cea5d63fd9d984f8614479de25mark     <literal>ds-rlim-size-limit</literal>,
ec40cc0dc62425cea5d63fd9d984f8614479de25mark     on the user's entry.
ec40cc0dc62425cea5d63fd9d984f8614479de25mark    </para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   </listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   <listitem>
ec40cc0dc62425cea5d63fd9d984f8614479de25mark    <para>
ec40cc0dc62425cea5d63fd9d984f8614479de25mark     The <firstterm>time limit</firstterm> defines
ec40cc0dc62425cea5d63fd9d984f8614479de25mark     the maximum processing time OpenDJ devotes to a search operation.
ec40cc0dc62425cea5d63fd9d984f8614479de25mark    </para>
ec40cc0dc62425cea5d63fd9d984f8614479de25mark
ec40cc0dc62425cea5d63fd9d984f8614479de25mark    <para>
ec40cc0dc62425cea5d63fd9d984f8614479de25mark     The default time limit, set by using the global server property,
ec40cc0dc62425cea5d63fd9d984f8614479de25mark     <link
ec40cc0dc62425cea5d63fd9d984f8614479de25mark      xlink:show="new"
ec40cc0dc62425cea5d63fd9d984f8614479de25mark      xlink:href="${configRefBase}global.html#time-limit"
ec40cc0dc62425cea5d63fd9d984f8614479de25mark     ><literal>time-limit</literal></link>,
ec40cc0dc62425cea5d63fd9d984f8614479de25mark     is 1 minute.
ec40cc0dc62425cea5d63fd9d984f8614479de25mark    </para>
ec40cc0dc62425cea5d63fd9d984f8614479de25mark
ec40cc0dc62425cea5d63fd9d984f8614479de25mark    <para>
ec40cc0dc62425cea5d63fd9d984f8614479de25mark     You can override the limit for a particular user
ec40cc0dc62425cea5d63fd9d984f8614479de25mark     by changing the operational attribute,
ec40cc0dc62425cea5d63fd9d984f8614479de25mark     <literal>ds-rlim-time-limit</literal>,
ec40cc0dc62425cea5d63fd9d984f8614479de25mark     on the user's entry.
ec40cc0dc62425cea5d63fd9d984f8614479de25mark     Times for <literal>ds-rlim-time-limit</literal> are expressed in seconds.
ec40cc0dc62425cea5d63fd9d984f8614479de25mark    </para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   </listitem>
ec40cc0dc62425cea5d63fd9d984f8614479de25mark
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   <listitem>
ec40cc0dc62425cea5d63fd9d984f8614479de25mark    <para>
ec40cc0dc62425cea5d63fd9d984f8614479de25mark     The <firstterm>idle time limit</firstterm> defines
ec40cc0dc62425cea5d63fd9d984f8614479de25mark     how long OpenDJ allows idle connections to remain open.
ec40cc0dc62425cea5d63fd9d984f8614479de25mark    </para>
ec40cc0dc62425cea5d63fd9d984f8614479de25mark
ec40cc0dc62425cea5d63fd9d984f8614479de25mark    <para>
ec40cc0dc62425cea5d63fd9d984f8614479de25mark     No default idle time limit is set.
ec40cc0dc62425cea5d63fd9d984f8614479de25mark     You can set an idle time limit by using the global server property,
ec40cc0dc62425cea5d63fd9d984f8614479de25mark     <link
ec40cc0dc62425cea5d63fd9d984f8614479de25mark      xlink:show="new"
ec40cc0dc62425cea5d63fd9d984f8614479de25mark      xlink:href="${configRefBase}global.html#idle-time-limit"
ec40cc0dc62425cea5d63fd9d984f8614479de25mark     ><literal>idle-time-limit</literal></link>.
ec40cc0dc62425cea5d63fd9d984f8614479de25mark    </para>
ec40cc0dc62425cea5d63fd9d984f8614479de25mark
ec40cc0dc62425cea5d63fd9d984f8614479de25mark    <para>
ec40cc0dc62425cea5d63fd9d984f8614479de25mark     You can override the limit for a particular user
ec40cc0dc62425cea5d63fd9d984f8614479de25mark     by changing the operational attribute,
ec40cc0dc62425cea5d63fd9d984f8614479de25mark     <literal>ds-rlim-idle-time-limit</literal>,
ec40cc0dc62425cea5d63fd9d984f8614479de25mark     on the user's entry.
ec40cc0dc62425cea5d63fd9d984f8614479de25mark     Times for <literal>ds-rlim-idle-time-limit</literal> are expressed in seconds.
ec40cc0dc62425cea5d63fd9d984f8614479de25mark    </para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   </listitem>
ec40cc0dc62425cea5d63fd9d984f8614479de25mark
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   <listitem>
ec40cc0dc62425cea5d63fd9d984f8614479de25mark    <para>
ec40cc0dc62425cea5d63fd9d984f8614479de25mark     The maximum number of persistent searches can be set
ec40cc0dc62425cea5d63fd9d984f8614479de25mark     by using the global server property,
ec40cc0dc62425cea5d63fd9d984f8614479de25mark     <link
ec40cc0dc62425cea5d63fd9d984f8614479de25mark      xlink:show="new"
ec40cc0dc62425cea5d63fd9d984f8614479de25mark      xlink:href="${configRefBase}global.html#max-psearches"
ec40cc0dc62425cea5d63fd9d984f8614479de25mark     ><literal>max-psearches</literal></link>.
ec40cc0dc62425cea5d63fd9d984f8614479de25mark    </para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   </listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  </itemizedlist>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  <procedure xml:id="set-search-limits-per-user">
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   <title>To Set Search Limits For a User</title>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   <step>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark    <para>Change the user entry to set the limits to override.</para>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark
08248b5c5b494aff8d1922e8e0b5777796d7450dmark    <screen>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark$ <userinput>cat limit.ldif</userinput>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark<computeroutput>dn: uid=bjensen,ou=People,dc=example,dc=com
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkchangetype: modify
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkadd: ds-rlim-size-limit
08248b5c5b494aff8d1922e8e0b5777796d7450dmarkds-rlim-size-limit: 10</computeroutput>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark
08248b5c5b494aff8d1922e8e0b5777796d7450dmark$ <userinput>ldapmodify \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --port 1389 \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindDN "cn=Directory Manager" \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindPassword password \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --filename limit.ldif</userinput>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark<computeroutput>Processing MODIFY request for uid=bjensen,ou=People,dc=example,dc=com
08248b5c5b494aff8d1922e8e0b5777796d7450dmarkMODIFY operation successful for DN uid=bjensen,ou=People,dc=example,dc=com</computeroutput>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark    </screen>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark    <para>Now when Babs Jensen performs a search returning more than 10
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark    entries, she sees the following message.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark
08248b5c5b494aff8d1922e8e0b5777796d7450dmark    <programlisting language="none">
08248b5c5b494aff8d1922e8e0b5777796d7450dmarkResult Code:  4 (Size Limit Exceeded)
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkAdditional Information:  This search operation has sent the maximum of
08248b5c5b494aff8d1922e8e0b5777796d7450dmark 10 entries to the client
08248b5c5b494aff8d1922e8e0b5777796d7450dmark    </programlisting>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   </step>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  </procedure>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  <procedure xml:id="set-search-limits-per-group">
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   <title>To Set Search Limits For a Group</title>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   <step>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark    <para>Create an LDAP subentry to specify the limits using collective
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark    attributes.</para>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark
08248b5c5b494aff8d1922e8e0b5777796d7450dmark    <screen>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark$ <userinput>cat grouplim.ldif</userinput>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark<computeroutput>dn: cn=Remove Administrator Search Limits,dc=example,dc=com
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkobjectClass: collectiveAttributeSubentry
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkobjectClass: extensibleObject
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkobjectClass: subentry
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkobjectClass: top
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkcn: Remove Administrator Search Limits
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkds-rlim-lookthrough-limit;collective: 0
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkds-rlim-size-limit;collective: 0
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkds-rlim-time-limit;collective: 0
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarksubtreeSpecification: {base "ou=people", specificationFilter "
08248b5c5b494aff8d1922e8e0b5777796d7450dmark (isMemberOf=cn=Directory Administrators,ou=Groups,dc=example,dc=com)" }</computeroutput>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark
08248b5c5b494aff8d1922e8e0b5777796d7450dmark$ <userinput>ldapmodify \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --port 1389 \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindDN "cn=Directory Manager" \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindPassword password \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --defaultAdd \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --filename grouplim.ldif</userinput>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark<computeroutput>Processing ADD request for
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark cn=Remove Administrator Search Limits,dc=example,dc=com
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkADD operation successful for DN
08248b5c5b494aff8d1922e8e0b5777796d7450dmark cn=Remove Administrator Search Limits,dc=example,dc=com</computeroutput>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark    </screen>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   </step>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   <step>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark    <para>Check the results.</para>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark
08248b5c5b494aff8d1922e8e0b5777796d7450dmark    <screen>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark$ <userinput>ldapsearch --port 1389 --baseDN dc=example,dc=com uid=kvaughan +|grep ds-rlim</userinput>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark<computeroutput>ds-rlim-lookthrough-limit: 0
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkds-rlim-time-limit: 0
08248b5c5b494aff8d1922e8e0b5777796d7450dmarkds-rlim-size-limit: 0</computeroutput>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark    </screen>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   </step>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  </procedure>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </section>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <section xml:id="limit-idle-time">
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  <title>Limiting Idle Time</title>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  <para>If you have applications that leave connections open for long
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  periods, OpenDJ can end up devoting resources to maintaining connections
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  that are no longer used. If your network does not drop such connections
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  eventually, you can configure OpenDJ to drop them by setting the
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  global configuration property, <literal>idle-time-limit</literal>. By
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  default, no idle time limit is set.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark
22c1778df9de923d7e15cf21eaa86da81e32812bmark  <para>
22c1778df9de923d7e15cf21eaa86da81e32812bmark   If your network load balancer is configured to drop connections
22c1778df9de923d7e15cf21eaa86da81e32812bmark   that have been idle for some time,
22c1778df9de923d7e15cf21eaa86da81e32812bmark   make sure you set the OpenDJ idle time limit to a lower value
22c1778df9de923d7e15cf21eaa86da81e32812bmark   than the idle time limit for the load balancer.
22c1778df9de923d7e15cf21eaa86da81e32812bmark   This helps to ensure that idle connections are shut down in orderly fashion.
22c1778df9de923d7e15cf21eaa86da81e32812bmark   Setting the OpenDJ limit lower than the load balancer limit is
22c1778df9de923d7e15cf21eaa86da81e32812bmark   particularly useful with load balancers that drop idle connections
22c1778df9de923d7e15cf21eaa86da81e32812bmark   without cleanly closing the connection and notifying the client and server.
22c1778df9de923d7e15cf21eaa86da81e32812bmark  </para>
22c1778df9de923d7e15cf21eaa86da81e32812bmark
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  <note>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   <para>OpenDJ does not enforce idle timeout for persistent searches.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  </note>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark
08248b5c5b494aff8d1922e8e0b5777796d7450dmark  <screen>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark$ <userinput>dsconfig \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark set-global-configuration-prop \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --port 4444 \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --hostname opendj.example.com \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindDN "cn=Directory Manager" \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindPassword password \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --set idle-time-limit:24h \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --trustAll \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --no-prompt</userinput>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark  </screen>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  <para>The example shown sets the idle time limit to 24 hours.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </section>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <section xml:id="limit-max-request-size">
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  <title>Limiting Maximum Request Size</title>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  <para>The default maximum request size of 5 MB, set using the advanced
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  connection handler property <literal>max-request-size</literal>, is
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  sufficient to satisfy most client requests. Yet, there are some cases where
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  you might need to raise the request size limit. For example, if clients
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  add groups with large numbers of members, those add requests can go beyond
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  the 5 MB limit.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark
08248b5c5b494aff8d1922e8e0b5777796d7450dmark  <screen>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark$ <userinput>dsconfig \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark set-connection-handler-prop \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --port 4444 \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --hostname opendj.example.com \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindDN "cn=Directory Manager" \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindPassword password \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --handler-name "LDAP Connection Handler" \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --set max-request-size:20mb \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --trustAll \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --no-prompt</userinput>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark  </screen>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  <para>The example shown sets the maximum request size on the LDAP connection
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  handler to 20 MB.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </section>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark</chapter>