133197c6aStron# Id 2*92cfeba6Schristos# Copyright 1999-2021 The OpenLDAP Foundation, All Rights Reserved. 34e6df137Slukem# COPYING RESTRICTIONS APPLY, see COPYRIGHT. 44e6df137Slukem 54e6df137Slukem# This contribution is derived from OpenLDAP Software. 64e6df137Slukem# All of the modifications to OpenLDAP Software represented in this contribution 74e6df137Slukem# were developed by Andrew Findlay <andrew.findlay@skills-1st.co.uk>. 84e6df137Slukem# I have not assigned rights and/or interest in this work to any party. 94e6df137Slukem# 104e6df137Slukem# Copyright 2008 Andrew Findlay 114e6df137Slukem# Redistribution and use in source and binary forms, with or without 124e6df137Slukem# modification, are permitted only as authorized by the OpenLDAP Public License. 134e6df137Slukem 144e6df137SlukemH1: Limits 154e6df137Slukem 164e6df137SlukemH2: Introduction 174e6df137Slukem 184e6df137SlukemIt is usually desirable to limit the server resources that can be 194e6df137Slukemconsumed by each LDAP client. OpenLDAP provides two sets of limits: 204e6df137Slukema size limit, which can restrict the {{number}} of entries that a 214e6df137Slukemclient can retrieve in a single operation, and a time limit 224e6df137Slukemwhich restricts the length of time that an operation may continue. 234e6df137SlukemBoth types of limit can be given different values depending on who 244e6df137Slukeminitiated the operation. 254e6df137Slukem 264e6df137SlukemH2: Soft and Hard limits 274e6df137Slukem 284e6df137SlukemThe server administrator can specify both {{soft limits}} and 294e6df137Slukem{{hard limits}}. Soft limits can be thought of as being the 304e6df137Slukemdefault limit value. Hard limits cannot be exceeded by ordinary 314e6df137SlukemLDAP users. 324e6df137Slukem 334e6df137SlukemLDAP clients can specify their own 344e6df137Slukemsize and time limits when issuing search operations. 354e6df137SlukemThis feature has been present since the earliest version of X.500. 364e6df137Slukem 374e6df137SlukemIf the client specifies a limit then the lower of the requested value 384e6df137Slukemand the {{hard limit}} will become the limit for the operation. 394e6df137Slukem 404e6df137SlukemIf the client does not specify a limit then the server applies the 414e6df137Slukem{{soft limit}}. 424e6df137Slukem 434e6df137SlukemSoft and Hard limits are often referred to together as {{administrative 444e6df137Slukemlimits}}. Thus, if an LDAP client requests a search that would return 454e6df137Slukemmore results than the limits allow it will get an {{adminLimitExceeded}} 464e6df137Slukemerror. Note that the server will usually return some results even if 474e6df137Slukemthe limit has been exceeded: this feature is useful to clients that 484e6df137Slukemjust want to check for the existence of some entries without needing 494e6df137Slukemto see them all. 504e6df137Slukem 514e6df137SlukemThe {{rootdn}} is not subject to any limits. 524e6df137Slukem 534e6df137SlukemH2: Global Limits 544e6df137Slukem 554e6df137SlukemLimits specified in the global part of the server configuration act 564e6df137Slukemas defaults which are used if no database has more specific limits set. 574e6df137Slukem 584e6df137SlukemIn a {{slapd.conf}}(5) configuration the keywords are {{EX:sizelimit}} and 594e6df137Slukem{{EX:timelimit}}. When using the {{slapd config}} backend, the corresponding 604e6df137Slukemattributes are {{EX:olcSizeLimit}} and {{EX:olcTimeLimit}}. The syntax of 614e6df137Slukemthese values are the same in both cases. 624e6df137Slukem 634e6df137SlukemThe simple form sets both soft and hard limits to the same value: 644e6df137Slukem 654e6df137Slukem> sizelimit {<integer>|unlimited} 664e6df137Slukem> timelimit {<integer>|unlimited} 674e6df137Slukem 684e6df137SlukemThe default sizelimit is 500 entries and the default timelimit is 694e6df137Slukem3600 seconds. 704e6df137Slukem 714e6df137SlukemAn extended form allows soft and hard limits to be set separately: 724e6df137Slukem 73*92cfeba6Schristos> sizelimit size[.{soft|hard}]=<integer> [...] 744e6df137Slukem> timelimit time[.{soft|hard}]=<integer> [...] 754e6df137Slukem 764e6df137SlukemThus, to set a soft sizelimit of 10 entries and a hard limit of 75 entries: 774e6df137Slukem 784e6df137SlukemE: sizelimit size.soft=10 size.hard=75 794e6df137Slukem 80*92cfeba6SchristosH3: Special Size Limits 81*92cfeba6Schristos 82*92cfeba6SchristosThere are other forms of size limits in addition to the soft and hard limits. 83*92cfeba6SchristosNote that when using the simple {{sizelimit}} form, none of these special 84*92cfeba6Schristoslimits are changed. 85*92cfeba6Schristos 86*92cfeba6SchristosH4: Unchecked Limits 87*92cfeba6Schristos 884e6df137SlukemThe {{unchecked}} keyword sets a limit on how many entries the server 89*92cfeba6Schristoswill examine after doing index lookups but before evaluating filter 90*92cfeba6Schristosmatches. If the set of candidates exceeds this limit, the search is aborted. 91*92cfeba6SchristosThe purpose is to avoid causing excessive workload on {{slapd}} 92*92cfeba6Schristosif a filter uses attributes that are not properly indexed, and can 93*92cfeba6Schristosbe critical for very large directories. 94*92cfeba6Schristos 95*92cfeba6Schristos> sizelimit size.unchecked={<integer>|unlimited|disabled} 96*92cfeba6Schristos 97*92cfeba6SchristosThe default is unlimited. The {{disabled}} setting prevents a search 98*92cfeba6Schristosfrom being performed at all. This may be useful in the per-database 99*92cfeba6Schristoslimits described below, to disallow searches for a specific set of users. 100*92cfeba6Schristos 101*92cfeba6SchristosH4: Paged Results Limits 102*92cfeba6Schristos 103*92cfeba6SchristosIf the LDAP client adds the {{pagedResultsControl}} to the search operation, 104*92cfeba6Schristosthe hard size limit is used by default, because the request for a specific 105*92cfeba6Schristospage size is considered an explicit request for a limitation on the number 106*92cfeba6Schristosof entries to be returned. However, the size limit applies to the total 107*92cfeba6Schristoscount of entries returned within the search, and not to a single page. 108*92cfeba6Schristos 109*92cfeba6SchristosAdditional size limits may be enforced for paged searches. 110*92cfeba6Schristos 111*92cfeba6SchristosThe {{EX:size.pr}} limit controls the maximum page size: 112*92cfeba6Schristos 113*92cfeba6Schristos> sizelimit size.pr={<integer>|noEstimate|unlimited} 114*92cfeba6Schristos 115*92cfeba6Schristos{{EX:<integer>}} is the maximum page size if no explicit size is set. 116*92cfeba6Schristos{{EX:noEstimate}} has no effect in the current implementation as the 117*92cfeba6Schristosserver does not return an estimate of the result size anyway. 118*92cfeba6Schristos{{EX:unlimited}} indicates that no limit is applied to the maximum 119*92cfeba6Schristospage size. 120*92cfeba6Schristos 121*92cfeba6SchristosThe {{EX:size.prtotal}} limit controls the total number of entries 122*92cfeba6Schristosthat can be returned by a paged search. By default the limit is the 123*92cfeba6Schristossame as the normal {{EX:size.hard}} limit. 124*92cfeba6Schristos 125*92cfeba6Schristos> size.prtotal={<integer>|unlimited|disabled} 126*92cfeba6Schristos 127*92cfeba6Schristos{{EX:unlimited}} removes the limit on the number of entries that can be 128*92cfeba6Schristosreturned by a paged search. 129*92cfeba6Schristos{{EX:disabled}} can be used to selectively disable paged result searches. 1304e6df137Slukem 1314e6df137SlukemH2: Per-Database Limits 1324e6df137Slukem 1334e6df137SlukemEach database can have its own set of limits that override the global 1344e6df137Slukemones. The syntax is more flexible, and it allows different limits to 1354e6df137Slukembe applied to different entities. Note that an {{entity}} is different from 1364e6df137Slukeman {{entry}}: the term {{entity}} is used here to indicate the ID of the 1374e6df137Slukemperson or process that has initiated the LDAP operation. 1384e6df137Slukem 1394e6df137SlukemIn a {{slapd.conf}}(5) configuration the keyword is {{EX:limits}}. 1404e6df137SlukemWhen using the {{slapd config}} backend, the corresponding 1414e6df137Slukemattribute is {{EX:olcLimits}}. The syntax of 1424e6df137Slukemthe values is the same in both cases. 1434e6df137Slukem 14482bf52b1Schristos> limits <selector> <limit> [<limit> [...]] 1454e6df137Slukem 1464e6df137SlukemThe {{limits}} clause can be specified multiple times to apply different 1474e6df137Slukemlimits to different initiators. The server examines each clause in turn 14882bf52b1Schristosuntil it finds one that matches the operation's initiator or base DN. 1494e6df137SlukemIf no match is found, the global limits will be used. 1504e6df137Slukem 1514e6df137SlukemH3: Specify who the limits apply to 1524e6df137Slukem 15382bf52b1SchristosThe {{EX:<selector>}} part of the {{limits}} clause can take any of these values: 1544e6df137Slukem 1554e6df137Slukem!block table; align=Center; coltags="EX,N"; \ 15682bf52b1Schristos title="Table 9.1: Limits Entity Specifiers" 1574e6df137SlukemSpecifier|Entities 1584e6df137Slukem*|All, including anonymous and authenticated users 1594e6df137Slukemanonymous|Anonymous (non-authenticated) users 1604e6df137Slukemusers|Authenticated users 16182bf52b1Schristosdn[.<type>][.<style>]=<pattern>]|Entry or entries within a scope that match <pattern> 1624e6df137Slukemgroup[/oc[/at]]=<pattern>|Members of a group 1634e6df137Slukem!endblock 1644e6df137Slukem 16582bf52b1SchristosWhere 16682bf52b1Schristos 16782bf52b1Schristos{{type}} can be one of self or this and 16882bf52b1Schristos 16982bf52b1Schristos{{style}} can be one of exact, base, onelevel, subtree, children, regex, or anonymous 17082bf52b1Schristos 17182bf52b1SchristosMore information can be found in the {{slapd.conf}}(5) or {{slapd-config}}(5) manual 17282bf52b1Schristospages. 1734e6df137Slukem 1744e6df137SlukemH3: Specify time limits 1754e6df137Slukem 1764e6df137SlukemThe syntax for time limits is 1774e6df137Slukem 1784e6df137SlukemE: time[.{soft|hard}]=<integer> 1794e6df137Slukem 1804e6df137Slukemwhere integer is the number of seconds slapd will spend 1814e6df137Slukemanswering a search request. 1824e6df137Slukem 1834e6df137SlukemIf neither {{soft}} nor {{hard}} is specified, the value is used for both, 1844e6df137Slukeme.g.: 1854e6df137Slukem 1864e6df137SlukemE: limits anonymous time=27 1874e6df137Slukem 1884e6df137SlukemThe value {{unlimited}} may be used to remove the hard time limit entirely, 1894e6df137Slukeme.g.: 1904e6df137Slukem 1914e6df137SlukemE: limits dn.exact="cn=anyuser,dc=example,dc=org" time.hard=unlimited 1924e6df137Slukem 1934e6df137SlukemH3: Specifying size limits 1944e6df137Slukem 1954e6df137SlukemThe syntax for size limit is 1964e6df137Slukem 197*92cfeba6SchristosE: size[.{soft|hard}]=<integer> 1984e6df137Slukem 1994e6df137Slukemwhere {{EX:<integer>}} is the maximum number of entries slapd will return 2004e6df137Slukemwhen answering a search request. 2014e6df137Slukem 202*92cfeba6SchristosIn addition to soft and hard limits, other limits are also available, 203*92cfeba6Schristoswith the same meanings described for the global limits configuration above. 2044e6df137Slukem 2054e6df137Slukem 2064e6df137SlukemH2: Example Limit Configurations 2074e6df137Slukem 2084e6df137SlukemH3: Simple Global Limits 2094e6df137Slukem 2104e6df137SlukemThis simple global configuration fragment applies size and time limits 2114e6df137Slukemto all searches by all users except {{rootdn}}. It limits searches to 2124e6df137Slukem50 results and sets an overall time limit of 10 seconds. 2134e6df137Slukem 2144e6df137SlukemE: sizelimit 50 2154e6df137SlukemE: timelimit 10 2164e6df137Slukem 2174e6df137SlukemH3: Global Hard and Soft Limits 2184e6df137Slukem 2194e6df137SlukemIt is sometimes useful to limit the size of result sets but to allow 2204e6df137Slukemclients to request a higher limit where needed. This can be achieved 2214e6df137Slukemby setting separate hard and soft limits. 2224e6df137Slukem 2234e6df137SlukemE: sizelimit size.soft=5 size.hard=100 2244e6df137Slukem 2254e6df137SlukemTo prevent clients from doing very inefficient non-indexed searches, 2264e6df137Slukemadd the {{unchecked}} limit: 2274e6df137Slukem 2284e6df137SlukemE: sizelimit size.soft=5 size.hard=100 size.unchecked=100 2294e6df137Slukem 2304e6df137SlukemH3: Giving specific users larger limits 2314e6df137Slukem 2324e6df137SlukemHaving set appropriate default limits in the global configuration, 2334e6df137Slukemyou may want to give certain users the ability to retrieve larger 2344e6df137Slukemresult sets. Here is a way to do that in the per-database configuration: 2354e6df137Slukem 2364e6df137SlukemE: limits dn.exact="cn=anyuser,dc=example,dc=org" size=100000 2374e6df137SlukemE: limits dn.exact="cn=personnel,dc=example,dc=org" size=100000 2384e6df137SlukemE: limits dn.exact="cn=dirsync,dc=example,dc=org" size=100000 2394e6df137Slukem 2404e6df137SlukemIt is generally best to avoid mentioning specific users in the server 2414e6df137Slukemconfiguration. A better way is to give the higher limits to a group: 2424e6df137Slukem 2434e6df137SlukemE: limits group/groupOfNames/member="cn=bigwigs,dc=example,dc=org" size=100000 2444e6df137Slukem 2454e6df137SlukemH3: Limiting who can do paged searches 2464e6df137Slukem 2474e6df137SlukemIt may be required that certain applications need very large result sets that 2484e6df137Slukemthey retrieve using paged searches, but that you do not want ordinary 2494e6df137SlukemLDAP users to use the pagedResults control. The {{pr}} and {{prtotal}} 2504e6df137Slukemlimits can help: 2514e6df137Slukem 2524e6df137SlukemE: limits group/groupOfNames/member="cn=dirsync,dc=example,dc=org" size.prtotal=unlimited 2534e6df137SlukemE: limits users size.soft=5 size.hard=100 size.prtotal=disabled 2544e6df137SlukemE: limits anonymous size.soft=2 size.hard=5 size.prtotal=disabled 2554e6df137Slukem 256*92cfeba6SchristosH2: Glued/Subordinate database configurations 257*92cfeba6SchristosWhen using subordinate databases, it is necessary for any limits that 258*92cfeba6Schristosare to be applied across the parent and its subordinates to be defined in both 259*92cfeba6Schristosthe parent and its subordinates. Otherwise the settings on the subordinate databases 260*92cfeba6Schristosare not honored. 261*92cfeba6Schristos 2624e6df137SlukemH2: Further Information 2634e6df137Slukem 2644e6df137SlukemFor further information please see {{slapd.conf}}(5), {{ldapsearch}}(1) and {{slapd.access}}(5) 2654e6df137Slukem 266