chap-resource-limits.xml revision 51607ea01068c9047391e4c8b46bc9dbd0edb7fd
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark ! CCPL HEADER START
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark ! This work is licensed under the Creative Commons
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark ! Attribution-NonCommercial-NoDerivs 3.0 Unported License.
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark ! To view a copy of this license, visit
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark ! or send a letter to Creative Commons, 444 Castro Street,
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark ! Suite 900, Mountain View, California, 94041, USA.
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark ! You can also obtain a copy of the license at
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark ! See the License for the specific language governing permissions
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark ! and limitations under the License.
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark ! If applicable, add the following below this CCPL HEADER, with the fields
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark ! enclosed by brackets "[]" replaced with your own identifying information:
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark ! Portions Copyright [yyyy] [name of copyright owner]
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark ! CCPL HEADER END
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark ! Copyright 2011-2012 ForgeRock AS
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark xmlns='http://docbook.org/ns/docbook' version='5.0' xml:lang='en'
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark xsi:schemaLocation='http://docbook.org/ns/docbook http://docbook.org/xml/5.0/xsd/docbook.xsd'
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <indexterm><primary>Resource limits</primary></indexterm>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>This chapter shows you how to set resource limits that prevent
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark directory clients from using an unfair share of system resources.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Well-written directory client applications limit the scope of their
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark searches with filters that narrow the number of results returned. By default,
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark OpenDJ also only allows users with appropriate privileges to perform
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark unindexed searches.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>You can further adjust additional limits on search operations, such
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark as the following.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <itemizedlist>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>The <firstterm>lookthrough limit</firstterm> defines the maximum
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark number of candidate entries OpenDJ considers when processing a
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark search.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>The default lookthrough limit, set by using the global server
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark property <literal>lookthrough-limit</literal>, is 5000.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>You can override the limit for a particular user by changing the
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark operational attribute, <literal>ds-rlim-lookthrough-limit</literal>, on
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark the user's entry.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>The <firstterm>size limit</firstterm> sets the maximum number of
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark entries returned for a search.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>The default size limit, set by using the global server property
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>You can override the limit for a particular user by changing the
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark operational attribute, <literal>ds-rlim-size-limit</literal>, on
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark the user's entry.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>The <firstterm>time limit</firstterm> defines the maximum processing
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark time OpenDJ devotes to a search operation.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>The default time limit, set by using the global server property
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>You can override the limit for a particular user by changing the
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark operational attribute, <literal>ds-rlim-time-limit</literal>, on
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark the user's entry. Times for <literal>ds-rlim-time-limit</literal> are
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark expressed in seconds.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>The <firstterm>idle time limit</firstterm> defines how long OpenDJ
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark allows idle connections to remain open.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>No default idle time limit is set. You can set an idle time limit
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark by using the global server property
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>You can override the limit for a particular user by changing the
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark operational attribute, <literal>ds-rlim-idle-time-limit</literal>, on
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark the user's entry. Times for <literal>ds-rlim-idle-time-limit</literal>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark are expressed in seconds.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>The maximum number of persistent searches can be set using the
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark global server property <literal>max-psearches</literal>.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </itemizedlist>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Change the user entry to set the limits to override.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkdn: uid=bjensen,ou=People,dc=example,dc=com
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkchangetype: modify
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkadd: ds-rlim-size-limit
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkds-rlim-size-limit: 10
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark$ ldapmodify
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --port 1389
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --bindDN "cn=Directory Manager"
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --bindPassword password
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkProcessing MODIFY request for uid=bjensen,ou=People,dc=example,dc=com
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkMODIFY operation successful for DN uid=bjensen,ou=People,dc=example,dc=com</screen>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Now when Babs Jensen performs a search returning more than 10
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark entries, she sees the following message.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <screen>Result Code: 4 (Size Limit Exceeded)
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkAdditional Information: This search operation has sent the maximum of
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark 10 entries to the client</screen>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </procedure>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Create an LDAP subentry to specify the limits using collective
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark attributes.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkdn: cn=Remove Administrator Search Limits,dc=example,dc=com
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkobjectClass: collectiveAttributeSubentry
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkobjectClass: extensibleObject
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkobjectClass: subentry
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkobjectClass: top
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkcn: Remove Administrator Search Limits
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkds-rlim-lookthrough-limit;collective: 0
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkds-rlim-size-limit;collective: 0
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkds-rlim-time-limit;collective: 0
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarksubtreeSpecification: {base "ou=people", specificationFilter "
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark (isMemberOf=cn=Directory Administrators,ou=Groups,dc=example,dc=com)" }
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark$ ldapmodify
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --port 1389
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --bindDN "cn=Directory Manager"
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --bindPassword password
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --defaultAdd
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkProcessing ADD request for
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark cn=Remove Administrator Search Limits,dc=example,dc=com
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkADD operation successful for DN
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark cn=Remove Administrator Search Limits,dc=example,dc=com</screen>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <screen>$ ldapsearch --port 1389 --baseDN dc=example,dc=com uid=kvaughan +|grep ds-rlim
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkds-rlim-lookthrough-limit: 0
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkds-rlim-time-limit: 0
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkds-rlim-size-limit: 0</screen>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </procedure>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </section>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>If you have applications that leave connections open for long
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark periods, OpenDJ can end up devoting resources to maintaining connections
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark that are no longer used. If your network does not drop such connections
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark eventually, you can configure OpenDJ to drop them by setting the
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark global configuration property, <literal>idle-time-limit</literal>. By
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark default, no idle time limit is set.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>OpenDJ does not enforce idle timeout for persistent searches.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <screen>$ dsconfig
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark set-global-configuration-prop
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --port 4444
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --bindDN "cn=Directory Manager"
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --bindPassword password
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --set idle-time-limit:24h
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --trustAll
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --no-prompt</screen>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>The example shown sets the idle time limit to 24 hours.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </section>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>The default maximum request size of 5 MB, set using the advanced
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark connection handler property <literal>max-request-size</literal>, is
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark sufficient to satisfy most client requests. Yet, there are some cases where
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark you might need to raise the request size limit. For example, if clients
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark add groups with large numbers of members, those add requests can go beyond
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark the 5 MB limit.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <screen>$ dsconfig
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark set-connection-handler-prop
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --port 4444
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --bindDN "cn=Directory Manager"
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --bindPassword password
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --handler-name "LDAP Connection Handler"
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --set max-request-size:20mb
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --trustAll
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --no-prompt</screen>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>The example shown sets the maximum request size on the LDAP connection
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark handler to 20 MB.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </section>