From c000cad09d0b54c455c99271bfb996c2dfe13073 Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Mon, 6 May 2024 03:23:53 +0200 Subject: Adding upstream version 2.4.47+dfsg. Signed-off-by: Daniel Baumann --- doc/guide/admin/limits.sdf | 244 +++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 244 insertions(+) create mode 100644 doc/guide/admin/limits.sdf (limited to 'doc/guide/admin/limits.sdf') diff --git a/doc/guide/admin/limits.sdf b/doc/guide/admin/limits.sdf new file mode 100644 index 0000000..a284961 --- /dev/null +++ b/doc/guide/admin/limits.sdf @@ -0,0 +1,244 @@ +# $Id$ +# Copyright 1999-2018 The OpenLDAP Foundation, All Rights Reserved. +# COPYING RESTRICTIONS APPLY, see COPYRIGHT. + +# This contribution is derived from OpenLDAP Software. +# All of the modifications to OpenLDAP Software represented in this contribution +# were developed by Andrew Findlay . +# I have not assigned rights and/or interest in this work to any party. +# +# Copyright 2008 Andrew Findlay +# Redistribution and use in source and binary forms, with or without +# modification, are permitted only as authorized by the OpenLDAP Public License. + +H1: Limits + +H2: Introduction + +It is usually desirable to limit the server resources that can be +consumed by each LDAP client. OpenLDAP provides two sets of limits: +a size limit, which can restrict the {{number}} of entries that a +client can retrieve in a single operation, and a time limit +which restricts the length of time that an operation may continue. +Both types of limit can be given different values depending on who +initiated the operation. + +H2: Soft and Hard limits + +The server administrator can specify both {{soft limits}} and +{{hard limits}}. Soft limits can be thought of as being the +default limit value. Hard limits cannot be exceeded by ordinary +LDAP users. + +LDAP clients can specify their own +size and time limits when issuing search operations. +This feature has been present since the earliest version of X.500. + +If the client specifies a limit then the lower of the requested value +and the {{hard limit}} will become the limit for the operation. + +If the client does not specify a limit then the server applies the +{{soft limit}}. + +Soft and Hard limits are often referred to together as {{administrative +limits}}. Thus, if an LDAP client requests a search that would return +more results than the limits allow it will get an {{adminLimitExceeded}} +error. Note that the server will usually return some results even if +the limit has been exceeded: this feature is useful to clients that +just want to check for the existence of some entries without needing +to see them all. + +The {{rootdn}} is not subject to any limits. + +H2: Global Limits + +Limits specified in the global part of the server configuration act +as defaults which are used if no database has more specific limits set. + +In a {{slapd.conf}}(5) configuration the keywords are {{EX:sizelimit}} and +{{EX:timelimit}}. When using the {{slapd config}} backend, the corresponding +attributes are {{EX:olcSizeLimit}} and {{EX:olcTimeLimit}}. The syntax of +these values are the same in both cases. + +The simple form sets both soft and hard limits to the same value: + +> sizelimit {|unlimited} +> timelimit {|unlimited} + +The default sizelimit is 500 entries and the default timelimit is +3600 seconds. + +An extended form allows soft and hard limits to be set separately: + +> sizelimit size[.{soft|hard|unchecked}]= [...] +> timelimit time[.{soft|hard}]= [...] + +Thus, to set a soft sizelimit of 10 entries and a hard limit of 75 entries: + +E: sizelimit size.soft=10 size.hard=75 + +The {{unchecked}} keyword sets a limit on how many entries the server +will examine once it has created an initial set of candidate results by +using indices. This can be very important in a large directory, as a +search that cannot be satisfied from an index might cause the server to +examine millions of entries, therefore always make sure the correct indexes +are configured. + +H2: Per-Database Limits + +Each database can have its own set of limits that override the global +ones. The syntax is more flexible, and it allows different limits to +be applied to different entities. Note that an {{entity}} is different from +an {{entry}}: the term {{entity}} is used here to indicate the ID of the +person or process that has initiated the LDAP operation. + +In a {{slapd.conf}}(5) configuration the keyword is {{EX:limits}}. +When using the {{slapd config}} backend, the corresponding +attribute is {{EX:olcLimits}}. The syntax of +the values is the same in both cases. + +> limits [ [...]] + +The {{limits}} clause can be specified multiple times to apply different +limits to different initiators. The server examines each clause in turn +until it finds one that matches the operation's initiator or base DN. +If no match is found, the global limits will be used. + +H3: Specify who the limits apply to + +The {{EX:}} part of the {{limits}} clause can take any of these values: + +!block table; align=Center; coltags="EX,N"; \ + title="Table 9.1: Limits Entity Specifiers" +Specifier|Entities +*|All, including anonymous and authenticated users +anonymous|Anonymous (non-authenticated) users +users|Authenticated users +dn[.][.