From 096f40f37444483d1ae39f36664409f5b018b6bb Mon Sep 17 00:00:00 2001
From: Mark Craig <mark.craig@forgerock.com>
Date: Fri, 17 Jun 2011 10:45:19 +0000
Subject: [PATCH] Draft chapter on setting resource limits
---
opendj3/src/main/docbkx/admin-guide/chap-resource-limits.xml | 132 ++++++++++++++++++++++++++++++++++++++++++++
1 files changed, 132 insertions(+), 0 deletions(-)
diff --git a/opendj3/src/main/docbkx/admin-guide/chap-resource-limits.xml b/opendj3/src/main/docbkx/admin-guide/chap-resource-limits.xml
index c048a29..f0e7f31 100644
--- a/opendj3/src/main/docbkx/admin-guide/chap-resource-limits.xml
+++ b/opendj3/src/main/docbkx/admin-guide/chap-resource-limits.xml
@@ -33,6 +33,138 @@
<para>This chapter shows you how to set resource limits that prevent
directory clients from using an unfair share of system resources.</para>
+
+ <section>
+ <title>Limiting Search Resources</title>
+
+ <para>Well-written directory client applications limit the scope of their
+ searches with filters that narrow the number of results returned. By default,
+ OpenDJ also only allows users with appropriate privileges to perform
+ unindexed searches.</para>
+
+ <para>You can further adjust additional limits on search operations, such
+ as the following.</para>
+ <itemizedlist>
+ <listitem>
+ <para>The <firstterm>lookthrough limit</firstterm> defines the maximum
+ number of candidate entries OpenDJ considers when processing a
+ search.</para>
+ <para>The default lookthrough limit, set by using the global server
+ property <literal>lookthrough-limit</literal>, is 5000.</para>
+ <para>The equivalent attribute for user entries is
+ <literal>ds-rlim-lookthrough-limit</literal>.</para>
+ </listitem>
+ <listitem>
+ <para>The <firstterm>size limit</firstterm> sets the maximum number of
+ entries returned for a search.</para>
+ <para>The default size limit, set by using the global server property
+ <literal>size-limit</literal>, is 1000.</para>
+ <para>The equivalent attribute for user entries is
+ <literal>ds-rlim-size-limit</literal>.</para>
+ </listitem>
+ <listitem>
+ <para>The <firstterm>time limit</firstterm> defines the maximum processing
+ time OpenDJ devotes to a search operation.</para>
+ <para>The default time limit, set by using the global server property
+ <literal>time-limit</literal>, is 1 minute.</para>
+ <para>The equivalent attribute for user entries is
+ <literal>ds-rlim-time-limit</literal>.</para>
+ </listitem>
+ <listitem>
+ <para>The maximum number of persistent searches can be set using the
+ global server property <literal>max-psearches</literal>.</para>
+ </listitem>
+ </itemizedlist>
+
+ <procedure>
+ <title>To Set Search Limits For a User</title>
+ <step>
+ <para>Change the user entry to set the limits to override.</para>
+ <screen width="80">$ cat limit.ldif
+dn: uid=bjensen,ou=People,dc=example,dc=com
+changetype: modify
+add: ds-rlim-size-limit
+ds-rlim-size-limit: 10
+$ ldapmodify -p 1389 -D "cn=Directory Manager" -w password -f limit.ldif
+Processing MODIFY request for uid=bjensen,ou=People,dc=example,dc=com
+MODIFY operation successful for DN uid=bjensen,ou=People,dc=example,dc=com</screen>
+
+ <para>Now when Babs Jensen performs a search returning more than 10
+ entries, she sees the following message.</para>
+
+ <screen width="80">Result Code: 4 (Size Limit Exceeded)
+Additional Information: This search operation has sent the maximum of
+ 10 entries to the client</screen>
+ </step>
+ </procedure>
+
+ <procedure>
+ <title>To Set Search Limits For a Group</title>
+ <step>
+ <para>Create an LDAP subentry to specify the limits using collective
+ attributes.</para>
+ <screen width="80">$ cat grouplim.ldif
+dn: cn=Remove Administrator Search Limits,dc=example,dc=com
+objectClass: collectiveAttributeSubentry
+objectClass: extensibleObject
+objectClass: subentry
+objectClass: top
+cn: Remove Administrator Search Limits
+ds-rlim-lookthrough-limit;collective: 0
+ds-rlim-size-limit;collective: 0
+ds-rlim-time-limit;collective: 0
+subtreeSpecification: {base "ou=people", specificationFilter "
+ (isMemberOf=cn=Directory Administrators,ou=Groups,dc=example,dc=com)" }
+
+$ ldapmodify -p 1389 -D "cn=Directory Manager" -w password -a -f grouplim.ldif
+Processing ADD request for
+ cn=Remove Administrator Search Limits,dc=example,dc=com
+ADD operation successful for DN
+ cn=Remove Administrator Search Limits,dc=example,dc=com</screen>
+ </step>
+ <step>
+ <para>Check the results.</para>
+ <screen width="80">$ ldapsearch -p 1389 -b dc=example,dc=com uid=kvaughan + | grep ds-rlim
+ds-rlim-lookthrough-limit: 0
+ds-rlim-time-limit: 0
+ds-rlim-size-limit: 0</screen>
+ </step>
+ </procedure>
+ </section>
+
+ <section>
+ <title>Limiting Idle Time</title>
+
+ <para>If you have applications that leave connections open for long
+ periods, OpenDJ can end up devoting resources to maintaining connections
+ that are no longer used. If your network does not drop such connections
+ eventually, you can configure OpenDJ to drop them by setting the
+ global configuration property, <literal>idle-time-limit</literal>. By
+ default, no idle time limit is set.</para>
+
+ <screen width="80">$ dsconfig -p 4444 -h `hostname` -D "cn=Directory Manager" -w password \
+> set-global-configuration-prop --set idle-time-limit:24h -X -n</screen>
+
+ <para>The example shown sets the idle time limit to 24 hours.</para>
+ </section>
+
+ <section>
+ <title>Limiting Maximum Request Size</title>
+
+ <para>The default maximum request size of 5 MB, set using the advanced
+ connection handler property <literal>max-request-size</literal>, is
+ sufficient to satisfy most client requests. Yet, there are some cases where
+ you might need to raise the request size limit. For example, if clients
+ add groups with large numbers of members, those add requests can go beyond
+ the 5 MB limit.</para>
+
+ <screen width="80">$ dsconfig -p 4444 -h `hostname` -D "cn=Directory Manager" -w password \
+> set-connection-handler-prop --handler-name "LDAP Connection Handler" \
+> --set max-request-size:20mb -X -n</screen>
+
+ <para>The example shown sets the maximum request size on the LDAP connection
+ handler to 20 MB.</para>
+ </section>
</chapter>
--
Gitblit v1.10.0