13.4. Setting Resource Limits Based on the Bind DN

Server limits for search operations are controlled using special operational attribute values on the client application binding to the directory. You can set the following search operation limits:
  • Look through limit. Specifies how many entries can be examined for a search operation.
  • Size limit. Specifies the maximum number of entries the server returns to a client application in response to a search operation.
  • Time limit. Specifies the maximum time the server spends processing a search operation.
  • Idle timeout. Specifies the time a connection to the server can be idle before the connection is dropped.
The resource limits set for the client application take precedence over the default resource limits set for in the global server configuration.

NOTE

The Directory Manager receives unlimited resources by default.

13.4.1. Setting Resource Limits Using the Console

  1. Select the Directory tab.
  2. Browse the navigation tree in the left navigation pane, and double-click the user or role for which to set resource limits.
    The Edit Entry dialog box appears.
  3. Click Account in the left pane.
  4. Set the resource limits. There are four different limits that can be set:
    • Look through limit. The maximum number of entries are examined for a search operation.
    • Size limit. The maximum number of entries the server returns to a client application in response to a search operation.
    • Time limit. The maximum time the server spends processing a search operation.
    • Idle timeout. The time a connection to the server can be idle before the connection is dropped.
    Entering a value of -1 indicates no limit.
  5. Click OK.

13.4.2. Setting Resource Limits Using the Command Line

The following operational attributes can be set for each entry using the command line. Use ldapmodify to add the following attributes to the entry:
Attribute Description
nsdslapd-lookthroughlimit Specifies how many entries are examined for a search operation. Giving this attribute a value of -1 indicates that there is no limit.
nsslapd-sizelimit Specifies the maximum number of entries the server returns to a client application in response to a search operation. Giving this attribute a value of -1 indicates that there is no limit.
nsslapd-timelimit Specifies the maximum time the server spends processing a search operation. Giving this attribute a value of -1 indicates that there is no time limit.
nsidletimeout Specifies the time a connection to the server can be idle before the connection is dropped. The value is given in seconds. Giving this attribute a value of -1 indicates that there is no limit.
For example, this sets the size limit for Barbara Jensen by using ldapmodify[8] to modify her entry:
/usr/lib64/mozldap/ldapmodify -D "cn=directory manager" -w secret -p 389 -h server.example.com

dn: uid=bjensen,ou=people,dc=example,dc=com
changetype: modify
add:nsslapd-sizelimit
nsslapd-sizelimit: 500
The ldapmodify statement adds the nsSizeLimit attribute to Babs Jensen's entry and gives it a search return size limit of 500 entries.

13.4.3. Setting Resource Limits on Anonymous Binds

Resource limits are set on a user entry. An anonymous bind, obviously, doesn't have a user entry associated with it. This means that the global resource limits usually apply to anonymous operations. However, it is possible to configure resource limits specifically for anonymous binds by creating a template user entry that has resource limits, and then applying that template to anonymous binds.
  1. Create a template entry and set whatever resource limits you want to apply to anonymous binds.

    TIP

    For performance reasons, the template should be in the normal backend, not in the cn=config suffix, which doesn't use an entry cache.
    For example:
    /usr/lib64/mozldap/ldapmodify -a -D "cn=directory manager" -w secret -p 389 -h server.example.com
    
    dn: cn=anon template,ou=people,dc=example,dc=com
    objectclass: person
    objectclass: top
    cn: anon template
    sn: template
    nsSizeLimit: 250
    nsLookThroughLimit: 1000
    nsTimeLimit: 60
  2. Add the nsslapd-anonlimitsdn to the server configuration, pointing to the DN of the template entry. Any of the resource limits in Section 13.4.2, “Setting Resource Limits Using the Command Line” can be set. For example:
    /usr/lib64/mozldap/ldapmodify -D "cn=directory manager" -w secret -p 389
    
    dn: cn=config
    changetype: modify
    add: nsslapd-anonlimitsdn
    nsslapd-anonlimitsdn: cn=anon template,ou=people,dc=example,dc=com