OpenDJ, the open source LDAP directory services in Java, defines a few global resource limits to prevent client connections or operations from abusing the server’s resources. These limits are
- the maximum number of entries returned to a search request (size-limit, default is 1000),
- the maximum amount of time to spend returning results to a client (time-limit, default is 60 seconds),
- the maximum number of entries to look through while processing a search request (lookthrough-limit, default is 5000),
- the maximum amount of time a connection can sit idle before the server disconnect it (idle-time-limit, default is unlimited).
There are default values for all of these limits in the Global configuration, but they can also be set on a per user basis. The global limits are read or set using dsconfig :
$ bin/dsconfig get-global-configuration-prop -p 4444 -X -n -h localhost \ -D cn=directory\ manager -w secret12 Property : Value(s) --------------------------------------:------------------------ bind-with-dn-requires-password : true default-password-policy : Default Password Policy disabled-privilege : - entry-cache-preload : false etime-resolution : milliseconds idle-time-limit : 0 lookthrough-limit : 5000 max-allowed-client-connections : 0 max-psearches : unlimited proxied-authorization-identity-mapper : Exact Match reject-unauthenticated-requests : false return-bind-error-messages : false save-config-on-successful-startup : true size-limit : 1000 smtp-server : - time-limit : 60 s writability-mode : enabled
The per user limits have a different LDAP attribute name and can be found or set directly in users’ entry, or through Collective Attributes. The Directory Manager entry has such specific limits set, so that everything is unlimited.
$ bin/ldapsearch -D "cn=directory manager" -w secret12 -p 1389 -X -b "cn=config" \ '(objectClass=inetOrgPerson)' ds-rlim-time-limit ds-rlim-size-limit \ ds-rlim-lookthrough-limit ds-rlim-idle-time-limit dn: cn=Directory Manager,cn=Root DNs,cn=config ds-rlim-lookthrough-limit: 0 ds-rlim-time-limit: 0 ds-rlim-idle-time-limit: 0 ds-rlim-size-limit: 0
If you decide to change the default global settings, for example the idle-time-limit, to force idle connections to be closed by the server after some time (often a smaller time than the settings of the load-balancer in between your applications and the OpenDJ servers), please remember that you might also want to change the limit for “cn=Directory Manager”, especially if your client applications are connecting with Directory Manager credentials.