external-software/github_OpenIdentityPlatform_OpenDJ.git

			@@ -33,6 +33,138 @@

			<para>This chapter shows you how to set resource limits that prevent
			directory clients from using an unfair share of system resources.</para>

			<section>
			<title>Limiting Search Resources</title>

			<para>Well-written directory client applications limit the scope of their
			searches with filters that narrow the number of results returned. By default,
			OpenDJ also only allows users with appropriate privileges to perform
			unindexed searches.</para>

			<para>You can further adjust additional limits on search operations, such
			as the following.</para>
			<itemizedlist>
			<listitem>
			<para>The <firstterm>lookthrough limit</firstterm> defines the maximum
			number of candidate entries OpenDJ considers when processing a
			search.</para>
			<para>The default lookthrough limit, set by using the global server
			property <literal>lookthrough-limit</literal>, is 5000.</para>
			<para>The equivalent attribute for user entries is
			<literal>ds-rlim-lookthrough-limit</literal>.</para>
			</listitem>
			<listitem>
			<para>The <firstterm>size limit</firstterm> sets the maximum number of
			entries returned for a search.</para>
			<para>The default size limit, set by using the global server property
			<literal>size-limit</literal>, is 1000.</para>
			<para>The equivalent attribute for user entries is
			<literal>ds-rlim-size-limit</literal>.</para>
			</listitem>
			<listitem>
			<para>The <firstterm>time limit</firstterm> defines the maximum processing
			time OpenDJ devotes to a search operation.</para>
			<para>The default time limit, set by using the global server property
			<literal>time-limit</literal>, is 1 minute.</para>
			<para>The equivalent attribute for user entries is
			<literal>ds-rlim-time-limit</literal>.</para>
			</listitem>
			<listitem>
			<para>The maximum number of persistent searches can be set using the
			global server property <literal>max-psearches</literal>.</para>
			</listitem>
			</itemizedlist>

			<procedure>
			<title>To Set Search Limits For a User</title>
			<step>
			<para>Change the user entry to set the limits to override.</para>
			<screen width="80">$ cat limit.ldif
			dn: uid=bjensen,ou=People,dc=example,dc=com
			changetype: modify
			add: ds-rlim-size-limit
			ds-rlim-size-limit: 10

			$ ldapmodify -p 1389 -D "cn=Directory Manager" -w password -f limit.ldif
			Processing MODIFY request for uid=bjensen,ou=People,dc=example,dc=com
			MODIFY operation successful for DN uid=bjensen,ou=People,dc=example,dc=com</screen>

			<para>Now when Babs Jensen performs a search returning more than 10
			entries, she sees the following message.</para>

			<screen width="80">Result Code: 4 (Size Limit Exceeded)
			Additional Information: This search operation has sent the maximum of
			10 entries to the client</screen>
			</step>
			</procedure>

			<procedure>
			<title>To Set Search Limits For a Group</title>
			<step>
			<para>Create an LDAP subentry to specify the limits using collective
			attributes.</para>
			<screen width="80">$ cat grouplim.ldif
			dn: cn=Remove Administrator Search Limits,dc=example,dc=com
			objectClass: collectiveAttributeSubentry
			objectClass: extensibleObject
			objectClass: subentry
			objectClass: top
			cn: Remove Administrator Search Limits
			ds-rlim-lookthrough-limit;collective: 0
			ds-rlim-size-limit;collective: 0
			ds-rlim-time-limit;collective: 0
			subtreeSpecification: {base "ou=people", specificationFilter "
			(isMemberOf=cn=Directory Administrators,ou=Groups,dc=example,dc=com)" }

			$ ldapmodify -p 1389 -D "cn=Directory Manager" -w password -a -f grouplim.ldif
			Processing ADD request for
			cn=Remove Administrator Search Limits,dc=example,dc=com
			ADD operation successful for DN
			cn=Remove Administrator Search Limits,dc=example,dc=com</screen>
			</step>
			<step>
			<para>Check the results.</para>
			<screen width="80">$ ldapsearch -p 1389 -b dc=example,dc=com uid=kvaughan + \| grep ds-rlim
			ds-rlim-lookthrough-limit: 0
			ds-rlim-time-limit: 0
			ds-rlim-size-limit: 0</screen>
			</step>
			</procedure>
			</section>

			<section>
			<title>Limiting Idle Time</title>

			<para>If you have applications that leave connections open for long
			periods, OpenDJ can end up devoting resources to maintaining connections
			that are no longer used. If your network does not drop such connections
			eventually, you can configure OpenDJ to drop them by setting the
			global configuration property, <literal>idle-time-limit</literal>. By
			default, no idle time limit is set.</para>

			<screen width="80">$ dsconfig -p 4444 -h `hostname` -D "cn=Directory Manager" -w password \
			> set-global-configuration-prop --set idle-time-limit:24h -X -n</screen>

			<para>The example shown sets the idle time limit to 24 hours.</para>
			</section>

			<section>
			<title>Limiting Maximum Request Size</title>

			<para>The default maximum request size of 5 MB, set using the advanced
			connection handler property <literal>max-request-size</literal>, is
			sufficient to satisfy most client requests. Yet, there are some cases where
			you might need to raise the request size limit. For example, if clients
			add groups with large numbers of members, those add requests can go beyond
			the 5 MB limit.</para>

			<screen width="80">$ dsconfig -p 4444 -h `hostname` -D "cn=Directory Manager" -w password \
			> set-connection-handler-prop --handler-name "LDAP Connection Handler" \
			> --set max-request-size:20mb -X -n</screen>

			<para>The example shown sets the maximum request size on the LDAP connection
			handler to 20 MB.</para>
			</section>
			</chapter>