13.1. Limiting Search Resources

Well-written directory client applications limit the scope of their searches with filters that narrow the number of results returned. By default, OpenDJ also only allows users with appropriate privileges to perform unindexed searches.

You can further adjust additional limits on search operations, such as the following.

  • The lookthrough limit defines the maximum number of candidate entries OpenDJ considers when processing a search.

    The default lookthrough limit, set by using the global server property lookthrough-limit, is 5000.

    You can override the limit for a particular user by changing the operational attribute, ds-rlim-lookthrough-limit, on the user's entry.

  • The size limit sets the maximum number of entries returned for a search.

    The default size limit, set by using the global server property size-limit, is 1000.

    You can override the limit for a particular user by changing the operational attribute, ds-rlim-size-limit, on the user's entry.

  • The time limit defines the maximum processing time OpenDJ devotes to a search operation.

    The default time limit, set by using the global server property time-limit, is 1 minute.

    You can override the limit for a particular user by changing the operational attribute, ds-rlim-time-limit, on the user's entry. Times for ds-rlim-time-limit are expressed in seconds.

  • The idle time limit defines how long OpenDJ allows idle connections to remain open.

    No default idle time limit is set. You can set an idle time limit by using the global server property idle-time-limit.

    You can override the limit for a particular user by changing the operational attribute, ds-rlim-idle-time-limit, on the user's entry. Times for ds-rlim-idle-time-limit are expressed in seconds.

  • The maximum number of persistent searches can be set using the global server property max-psearches.

Procedure 13.1. To Set Search Limits For a User

  • Change the user entry to set the limits to override.

    $ cat limit.ldif
dn: uid=bjensen,ou=People,dc=example,dc=com
changetype: modify
add: ds-rlim-size-limit
ds-rlim-size-limit: 10

$ ldapmodify
 --port 1389
 --bindDN "cn=Directory Manager"
 --bindPassword password
 --filename limit.ldif
Processing MODIFY request for uid=bjensen,ou=People,dc=example,dc=com
MODIFY operation successful for DN uid=bjensen,ou=People,dc=example,dc=com

    Now when Babs Jensen performs a search returning more than 10 entries, she sees the following message. 

    Result Code:  4 (Size Limit Exceeded)
Additional Information:  This search operation has sent the maximum of
 10 entries to the client

Procedure 13.2. To Set Search Limits For a Group

  1. Create an LDAP subentry to specify the limits using collective attributes. 

    $ cat grouplim.ldif 
dn: cn=Remove Administrator Search Limits,dc=example,dc=com
objectClass: collectiveAttributeSubentry
objectClass: extensibleObject
objectClass: subentry
objectClass: top
cn: Remove Administrator Search Limits
ds-rlim-lookthrough-limit;collective: 0
ds-rlim-size-limit;collective: 0
ds-rlim-time-limit;collective: 0
subtreeSpecification: {base "ou=people", specificationFilter "
 (isMemberOf=cn=Directory Administrators,ou=Groups,dc=example,dc=com)" }

$ ldapmodify
 --port 1389
 --bindDN "cn=Directory Manager"
 --bindPassword password
 --defaultAdd
 --filename grouplim.ldif
Processing ADD request for
 cn=Remove Administrator Search Limits,dc=example,dc=com
ADD operation successful for DN
 cn=Remove Administrator Search Limits,dc=example,dc=com

  2. Check the results.

    $ ldapsearch --port 1389 --baseDN dc=example,dc=com uid=kvaughan +|grep ds-rlim
ds-rlim-lookthrough-limit: 0
ds-rlim-time-limit: 0
ds-rlim-size-limit: 0