Chapter 14. Finding Directory Entries

Entries in the directory can be searched for and found using any LDAP client. Most clients provide some form of search interface so that the directory can be searched easily and entry information can be easily retrieved.

14.1. Improving Search Performance through Resource Limits

With large directories, searching through every entry in the database can have a negative impact on the server performance. Effective indexing can improve the performance in certain scenarios. However, in large databases, this may still not reduce the search scope enough to improve the performance.
Reasonable limits can be set on user and client accounts to reduce the total number of entries or the total amount of time spent in an individual search, which both makes searches more responsive and improves overall server performance.
Server limits for search operations are controlled using special operational attribute values on the client application binding to the directory. You can set the following search operation limits:
  • Look through limit. Specifies how many entries can be examined for a search operation.
  • Size limit. Specifies the maximum number of entries the server returns to a client application in response to a search operation.
  • Time limit. Specifies the maximum time the server spends processing a search operation.
  • Idle timeout. Specifies the time a connection to the server can be idle before the connection is dropped.
  • Range timeout. Specifies a separate look-through limit specifically for searches using a range.
The resource limits set for the client application take precedence over the default resource limits set for in the global server configuration.

Note

The Directory Manager receives unlimited resources by default, with the exception of range searches.

14.1.1. Search Performance and Resource Limits

For details, see the corresponding section in the Red Hat Directory Server Performance Tuning Guide.

14.1.2. Fine Grained ID List Size

For details, see the corresponding section in the Red Hat Directory Server Performance Tuning Guide.

14.1.3. Setting Resource Limits on a Single User

  1. Select the Directory tab.
  2. Browse the navigation tree in the left navigation pane, and double-click the user or role for which to set resource limits.
    The Edit Entry dialog box appears.
  3. Click Account in the left pane.
  4. Set the resource limits. There are four different limits that can be set:
    • Look through limit. The maximum number of entries are examined for a search operation.
    • Size limit. The maximum number of entries the server returns to a client application in response to a search operation.
    • Time limit. The maximum time the server spends processing a search operation.
    • Idle timeout. The time a connection to the server can be idle before the connection is dropped.
    Entering a value of -1 indicates no limit.
  5. Click OK.

14.1.4. Setting User and Global Resource Limits Using the Command Line

More options are available when setting resource limits in the command line than through the Directory Server Console. The Directory Server Console sets user-level resource limits. Through the command line, administrators can set user-level resource limits, global resource limits, and limits for specific kinds of searches, such as simple paged and range searches. Section 13.1.3, “Overview of the Searching Algorithm” has more information on how these resource limits affect Directory Server search performance.
Section 14.1.4, “Setting User and Global Resource Limits Using the Command Line” lists operational attributes which can be set for each entry using the command line. Use ldapmodify to add the attributes to the entry.
User-level attributes are set on the individual entries, while global configuration attributes are set in the appropriate server configuration area.
Look-through limit
Specifies how many entries are examined for a search operation. Giving this attribute a value of -1 indicates that there is no limit.
  • User-level attribute: nsLookThroughLimit
  • Global configuration:
    • Attribute: nsslapd-lookthroughlimit
    • Entry: cn=config,cn=ldbm database,cn=plugins,cn=config
Page look-through limit
As with the look-through limit, specifies how many entries are examined, but specifically for simple paged search operations. Giving this attribute a value of -1 indicates that there is no limit.
  • User-level attribute: nsPagedLookThroughLimit
  • Global configuration:
    • Attribute: nsSizeLimit
    • Entry: cn=config
Size limit
Specifies the maximum number of entries the server returns to a client application in response to a search operation. Giving this attribute a value of -1 indicates that there is no limit.
  • User-level attribute: nsSizeLimit
  • Global configuration:
    • Attribute: nsslapd-sizelimit
    • Entry: cn=config
Paged size limit
As with the size limit, specifies the maximum number of entries the server returns to a client application but only for simple paged search operations. Giving this attribute a value of -1 indicates that there is no limit.
  • User-level attribute: nsPagedSizeLimit
  • Global configuration:
    • Attribute: nsslapd-pagedsizelimit
    • Entry: cn=config
Time Limit
Specifies the maximum time the server spends processing a search operation. Giving this attribute a value of -1 indicates that there is no time limit.
  • User-level attribute: nsTimeLimit
  • Global configuration:
    • Attribute: nsslapd-timelimit
    • Entry: cn=config
Idle timeout
Specifies the time a connection to the server can be idle before the connection is dropped. The value is given in seconds. Giving this attribute a value of -1 indicates that there is no limit.
  • User-level attribute: nsidletimeout
  • Global configuration:
    • Attribute: nsslapd-idletimeout
    • Entry: cn=config
ID list scan limit
Specifies the maximum number of entry IDs loaded from an index file for search results. If the ID list size is greater than this value, the search will not use the index list but will treat the search as an unindexed search and look through the entire database.
  • User-level attribute: nsIDListScanLimit
  • Global configuration:
    • Attribute: nsslapd-idlistscanlimit
    • Entry: cn=config,cn=ldbm database,cn=plugins,cn=config
Paged ID list scan limit
As with the ID list scan limit, specifies the maximum number of entry IDs loaded from an index file for search results, but specifically for paged search operations.
  • User-level attribute: nsPagedIDListScanLimit
  • Global configuration:
    • Attribute: nsslapd-pagedidlistscanlimit
    • Entry: cn=config,cn=ldbm database,cn=plugins,cn=config
Range look-through limit
Specifies how many entries are examined for a range search operation (a search using greater-than, equal-to-or-greater-than, less-than, or equal-to-less-than operators). Giving this attribute a value of -1 indicates that there is no limit.
  • User-level attribute: not available
  • Global configuration:
    • Attribute: nsslapd-rangelookthroughlimit
    • Entry: cn=config,cn=ldbm database,cn=plugins,cn=config
For information about the parameters listed above, see their descriptions in the Red Hat Directory Server Configuration, Command, and File Reference.
For example, this sets the size limit for Barbara Jensen by using ldapmodify to modify her entry:
# ldapmodify -D "cn=Directory Manager" -W -p 389 -h server.example.com -x

dn: uid=user_name,ou=People,dc=example,dc=com
changetype: modify
add: nsSizeLimit
nsSizeLimit: 500
The ldapmodify statement adds the nsSizeLimit attribute to Babs Jensen's entry and gives it a search return size limit of 500 entries.

Note

Set an access control list (ACL) to prevent users changing the setting. For details about ACLs, see Chapter 18, Managing Access Control.

14.1.5. Setting Resource Limits on Anonymous Binds

Resource limits are set on a user entry. An anonymous bind, obviously, does not have a user entry associated with it. This means that the global resource limits usually apply to anonymous operations. However, it is possible to configure resource limits specifically for anonymous binds by creating a template user entry that has resource limits, and then applying that template to anonymous binds.
  1. Create a template entry and set whatever resource limits you want to apply to anonymous binds.

    Note

    For performance reasons, the template should be in the normal back end, not in the cn=config suffix, which does not use an entry cache.
    For example:
    # ldapmodify -a -D "cn=Directory Manager" -W -p 389 -h server.example.com -x
    
    dn: cn=anon template,ou=people,dc=example,dc=com
    changetype: add
    objectclass: nsContainer
    objectclass: top
    cn: anon template
    nsSizeLimit: 250
    nsLookThroughLimit: 1000
    nsTimeLimit: 60
  2. On all masters in a replication topology, add the nsslapd-anonlimitsdn to the server configuration, pointing to the DN of the template entry. Any of the resource limits in Section 14.1.4, “Setting User and Global Resource Limits Using the Command Line” can be set. For example:
    # ldapmodify -D "cn=Directory Manager" -W -x
    
    dn: cn=config
    changetype: modify
    add: nsslapd-anonlimitsdn
    nsslapd-anonlimitsdn: cn=anon template,ou=people,dc=example,dc=com

14.1.6. Improving Performance for Range Searches

Range searches use operators (Section 14.4.2, “Using Operators in Search Filters”) to set a bracket to search for and return an entire subset of entries within the directory. For example, this searches for every entry modified at or after midnight on January 1:
(modifyTimestamp>=20190101010101Z)
The nature of a range search is that it must evaluate every single entry within the directory to see if it is within the range given. Essentially, a range search is always an all IDs search.
For most users, the look-through limit kicks in and prevents range searches from turning into an all IDs search. This improves overall performance and speeds up range search results. However, some clients or administrative users like Directory Manager may not have a look-through limit set. In that case, a range search can take several minutes to complete or even continue indefinitely.
It is possible to set a separate range look-through limit. This allows clients and administrative users to have high look-through limits while still allowing a reasonable limit to be set on potentially performance-impaired range searches.
This is configured in the nsslapd-rangelookthroughlimit attribute. The default value is 5000, the same as the default nsslapd-lookthroughlimit attribute value.
For example:
# ldapmodify -a -D "cn=Directory Manager" -W -p 389 -h server.example.com -x

dn: cn=config,cn=ldbm database,cn=plugins,cn=config
changetype: add
add: nsslapd-rangelookthroughlimit
nsslapd-rangelookthroughlimit: 7500