# $Id$ # Copyright 1999-2021 The OpenLDAP Foundation, All Rights Reserved. # COPYING RESTRICTIONS APPLY, see COPYRIGHT. # This contribution is derived from OpenLDAP Software. # All of the modifications to OpenLDAP Software represented in this contribution # were developed by Andrew Findlay . # I have not assigned rights and/or interest in this work to any party. # # Copyright 2008 Andrew Findlay # Redistribution and use in source and binary forms, with or without # modification, are permitted only as authorized by the OpenLDAP Public License. H1: Limits H2: Introduction It is usually desirable to limit the server resources that can be consumed by each LDAP client. OpenLDAP provides two sets of limits: a size limit, which can restrict the {{number}} of entries that a client can retrieve in a single operation, and a time limit which restricts the length of time that an operation may continue. Both types of limit can be given different values depending on who initiated the operation. H2: Soft and Hard limits The server administrator can specify both {{soft limits}} and {{hard limits}}. Soft limits can be thought of as being the default limit value. Hard limits cannot be exceeded by ordinary LDAP users. LDAP clients can specify their own size and time limits when issuing search operations. This feature has been present since the earliest version of X.500. If the client specifies a limit then the lower of the requested value and the {{hard limit}} will become the limit for the operation. If the client does not specify a limit then the server applies the {{soft limit}}. Soft and Hard limits are often referred to together as {{administrative limits}}. Thus, if an LDAP client requests a search that would return more results than the limits allow it will get an {{adminLimitExceeded}} error. Note that the server will usually return some results even if the limit has been exceeded: this feature is useful to clients that just want to check for the existence of some entries without needing to see them all. The {{rootdn}} is not subject to any limits. H2: Global Limits Limits specified in the global part of the server configuration act as defaults which are used if no database has more specific limits set. In a {{slapd.conf}}(5) configuration the keywords are {{EX:sizelimit}} and {{EX:timelimit}}. When using the {{slapd config}} backend, the corresponding attributes are {{EX:olcSizeLimit}} and {{EX:olcTimeLimit}}. The syntax of these values are the same in both cases. The simple form sets both soft and hard limits to the same value: > sizelimit {|unlimited} > timelimit {|unlimited} The default sizelimit is 500 entries and the default timelimit is 3600 seconds. An extended form allows soft and hard limits to be set separately: > sizelimit size[.{soft|hard|unchecked}]= [...] > timelimit time[.{soft|hard}]= [...] Thus, to set a soft sizelimit of 10 entries and a hard limit of 75 entries: E: sizelimit size.soft=10 size.hard=75 The {{unchecked}} keyword sets a limit on how many entries the server will examine once it has created an initial set of candidate results by using indices. This can be very important in a large directory, as a search that cannot be satisfied from an index might cause the server to examine millions of entries, therefore always make sure the correct indexes are configured. H2: Per-Database Limits Each database can have its own set of limits that override the global ones. The syntax is more flexible, and it allows different limits to be applied to different entities. Note that an {{entity}} is different from an {{entry}}: the term {{entity}} is used here to indicate the ID of the person or process that has initiated the LDAP operation. In a {{slapd.conf}}(5) configuration the keyword is {{EX:limits}}. When using the {{slapd config}} backend, the corresponding attribute is {{EX:olcLimits}}. The syntax of the values is the same in both cases. > limits [ [...]] The {{limits}} clause can be specified multiple times to apply different limits to different initiators. The server examines each clause in turn until it finds one that matches the operation's initiator or base DN. If no match is found, the global limits will be used. H3: Specify who the limits apply to The {{EX:}} part of the {{limits}} clause can take any of these values: !block table; align=Center; coltags="EX,N"; \ title="Table 9.1: Limits Entity Specifiers" Specifier|Entities *|All, including anonymous and authenticated users anonymous|Anonymous (non-authenticated) users users|Authenticated users dn[.][.