Resource limits This chapter shows you how to set resource limits that prevent directory clients from using an unfair share of system resources.

Well-written directory client applications limit the scope of their searches with filters that narrow the number of results returned. By default, OpenDJ also only allows users with appropriate privileges to perform unindexed searches. You can further adjust additional limits on search operations, such as the following. The lookthrough limit defines the maximum number of candidate entries OpenDJ considers when processing a search. The default lookthrough limit, set by using the global server property lookthrough-limit, is 5000. The equivalent attribute for user entries is ds-rlim-lookthrough-limit. The size limit sets the maximum number of entries returned for a search. The default size limit, set by using the global server property size-limit, is 1000. The equivalent attribute for user entries is ds-rlim-size-limit. The time limit defines the maximum processing time OpenDJ devotes to a search operation. The default time limit, set by using the global server property time-limit, is 1 minute. The equivalent attribute for user entries is ds-rlim-time-limit. The maximum number of persistent searches can be set using the global server property max-psearches. Change the user entry to set the limits to override. $ cat limit.ldif dn: uid=bjensen,ou=People,dc=example,dc=com changetype: modify add: ds-rlim-size-limit ds-rlim-size-limit: 10 $ ldapmodify -p 1389 -D "cn=Directory Manager" -w password -f limit.ldif Processing MODIFY request for uid=bjensen,ou=People,dc=example,dc=com MODIFY operation successful for DN uid=bjensen,ou=People,dc=example,dc=com Now when Babs Jensen performs a search returning more than 10 entries, she sees the following message. Result Code: 4 (Size Limit Exceeded) Additional Information: This search operation has sent the maximum of 10 entries to the client Create an LDAP subentry to specify the limits using collective attributes. $ cat grouplim.ldif dn: cn=Remove Administrator Search Limits,dc=example,dc=com objectClass: collectiveAttributeSubentry objectClass: extensibleObject objectClass: subentry objectClass: top cn: Remove Administrator Search Limits ds-rlim-lookthrough-limit;collective: 0 ds-rlim-size-limit;collective: 0 ds-rlim-time-limit;collective: 0 subtreeSpecification: {base "ou=people", specificationFilter " (isMemberOf=cn=Directory Administrators,ou=Groups,dc=example,dc=com)" } $ ldapmodify -p 1389 -D "cn=Directory Manager" -w password -a -f grouplim.ldif Processing ADD request for cn=Remove Administrator Search Limits,dc=example,dc=com ADD operation successful for DN cn=Remove Administrator Search Limits,dc=example,dc=com Check the results. $ ldapsearch -p 1389 -b dc=example,dc=com uid=kvaughan + | grep ds-rlim ds-rlim-lookthrough-limit: 0 ds-rlim-time-limit: 0 ds-rlim-size-limit: 0

If you have applications that leave connections open for long periods, OpenDJ can end up devoting resources to maintaining connections that are no longer used. If your network does not drop such connections eventually, you can configure OpenDJ to drop them by setting the global configuration property, idle-time-limit. By default, no idle time limit is set. $ dsconfig -p 4444 -h `hostname` -D "cn=Directory Manager" -w password set-global-configuration-prop --set idle-time-limit:24h -X -n The example shown sets the idle time limit to 24 hours.

The default maximum request size of 5 MB, set using the advanced connection handler property max-request-size, is sufficient to satisfy most client requests. Yet, there are some cases where you might need to raise the request size limit. For example, if clients add groups with large numbers of members, those add requests can go beyond the 5 MB limit. $ dsconfig -p 4444 -h `hostname` -D "cn=Directory Manager" -w password set-connection-handler-prop --handler-name "LDAP Connection Handler" --set max-request-size:20mb -X -n The example shown sets the maximum request size on the LDAP connection handler to 20 MB.