1# Id 2# Copyright 1999-2020 The OpenLDAP Foundation, All Rights Reserved. 3# COPYING RESTRICTIONS APPLY, see COPYRIGHT. 4 5# This contribution is derived from OpenLDAP Software. 6# All of the modifications to OpenLDAP Software represented in this contribution 7# were developed by Andrew Findlay <andrew.findlay@skills-1st.co.uk>. 8# I have not assigned rights and/or interest in this work to any party. 9# 10# Copyright 2008 Andrew Findlay 11# Redistribution and use in source and binary forms, with or without 12# modification, are permitted only as authorized by the OpenLDAP Public License. 13 14H1: Limits 15 16H2: Introduction 17 18It is usually desirable to limit the server resources that can be 19consumed by each LDAP client. OpenLDAP provides two sets of limits: 20a size limit, which can restrict the {{number}} of entries that a 21client can retrieve in a single operation, and a time limit 22which restricts the length of time that an operation may continue. 23Both types of limit can be given different values depending on who 24initiated the operation. 25 26H2: Soft and Hard limits 27 28The server administrator can specify both {{soft limits}} and 29{{hard limits}}. Soft limits can be thought of as being the 30default limit value. Hard limits cannot be exceeded by ordinary 31LDAP users. 32 33LDAP clients can specify their own 34size and time limits when issuing search operations. 35This feature has been present since the earliest version of X.500. 36 37If the client specifies a limit then the lower of the requested value 38and the {{hard limit}} will become the limit for the operation. 39 40If the client does not specify a limit then the server applies the 41{{soft limit}}. 42 43Soft and Hard limits are often referred to together as {{administrative 44limits}}. Thus, if an LDAP client requests a search that would return 45more results than the limits allow it will get an {{adminLimitExceeded}} 46error. Note that the server will usually return some results even if 47the limit has been exceeded: this feature is useful to clients that 48just want to check for the existence of some entries without needing 49to see them all. 50 51The {{rootdn}} is not subject to any limits. 52 53H2: Global Limits 54 55Limits specified in the global part of the server configuration act 56as defaults which are used if no database has more specific limits set. 57 58In a {{slapd.conf}}(5) configuration the keywords are {{EX:sizelimit}} and 59{{EX:timelimit}}. When using the {{slapd config}} backend, the corresponding 60attributes are {{EX:olcSizeLimit}} and {{EX:olcTimeLimit}}. The syntax of 61these values are the same in both cases. 62 63The simple form sets both soft and hard limits to the same value: 64 65> sizelimit {<integer>|unlimited} 66> timelimit {<integer>|unlimited} 67 68The default sizelimit is 500 entries and the default timelimit is 693600 seconds. 70 71An extended form allows soft and hard limits to be set separately: 72 73> sizelimit size[.{soft|hard|unchecked}]=<integer> [...] 74> timelimit time[.{soft|hard}]=<integer> [...] 75 76Thus, to set a soft sizelimit of 10 entries and a hard limit of 75 entries: 77 78E: sizelimit size.soft=10 size.hard=75 79 80The {{unchecked}} keyword sets a limit on how many entries the server 81will examine once it has created an initial set of candidate results by 82using indices. This can be very important in a large directory, as a 83search that cannot be satisfied from an index might cause the server to 84examine millions of entries, therefore always make sure the correct indexes 85are configured. 86 87H2: Per-Database Limits 88 89Each database can have its own set of limits that override the global 90ones. The syntax is more flexible, and it allows different limits to 91be applied to different entities. Note that an {{entity}} is different from 92an {{entry}}: the term {{entity}} is used here to indicate the ID of the 93person or process that has initiated the LDAP operation. 94 95In a {{slapd.conf}}(5) configuration the keyword is {{EX:limits}}. 96When using the {{slapd config}} backend, the corresponding 97attribute is {{EX:olcLimits}}. The syntax of 98the values is the same in both cases. 99 100> limits <selector> <limit> [<limit> [...]] 101 102The {{limits}} clause can be specified multiple times to apply different 103limits to different initiators. The server examines each clause in turn 104until it finds one that matches the operation's initiator or base DN. 105If no match is found, the global limits will be used. 106 107H3: Specify who the limits apply to 108 109The {{EX:<selector>}} part of the {{limits}} clause can take any of these values: 110 111!block table; align=Center; coltags="EX,N"; \ 112 title="Table 9.1: Limits Entity Specifiers" 113Specifier|Entities 114*|All, including anonymous and authenticated users 115anonymous|Anonymous (non-authenticated) users 116users|Authenticated users 117dn[.<type>][.<style>]=<pattern>]|Entry or entries within a scope that match <pattern> 118group[/oc[/at]]=<pattern>|Members of a group 119!endblock 120 121Where 122 123{{type}} can be one of self or this and 124 125{{style}} can be one of exact, base, onelevel, subtree, children, regex, or anonymous 126 127More information can be found in the {{slapd.conf}}(5) or {{slapd-config}}(5) manual 128pages. 129 130H3: Specify time limits 131 132The syntax for time limits is 133 134E: time[.{soft|hard}]=<integer> 135 136where integer is the number of seconds slapd will spend 137answering a search request. 138 139If neither {{soft}} nor {{hard}} is specified, the value is used for both, 140e.g.: 141 142E: limits anonymous time=27 143 144The value {{unlimited}} may be used to remove the hard time limit entirely, 145e.g.: 146 147E: limits dn.exact="cn=anyuser,dc=example,dc=org" time.hard=unlimited 148 149H3: Specifying size limits 150 151The syntax for size limit is 152 153E: size[.{soft|hard|unchecked}]=<integer> 154 155where {{EX:<integer>}} is the maximum number of entries slapd will return 156when answering a search request. 157 158Soft, hard, and "unchecked" limits are available, with the same meanings 159described for the global limits configuration above. 160 161H3: Size limits and Paged Results 162 163If the LDAP client adds the {{pagedResultsControl}} to the search operation, 164the hard size limit is used by default, because the request for a specific 165page size is considered an explicit request for a limitation on the number 166of entries to be returned. However, the size limit applies to the total 167count of entries returned within the search, and not to a single page. 168 169Additional size limits may be enforced for paged searches. 170 171The {{EX:size.pr}} limit controls the maximum page size: 172 173> size.pr={<integer>|noEstimate|unlimited} 174 175{{EX:<integer>}} is the maximum page size if no explicit size is set. 176{{EX:noEstimate}} has no effect in the current implementation as the 177server does not return an estimate of the result size anyway. 178{{EX:unlimited}} indicates that no limit is applied to the maximum 179page size. 180 181The {{EX:size.prtotal}} limit controls the total number of entries 182that can be returned by a paged search. By default the limit is the 183same as the normal {{EX:size.hard}} limit. 184 185> size.prtotal={<integer>|unlimited|disabled} 186 187{{EX:unlimited}} removes the limit on the number of entries that can be 188returned by a paged search. 189{{EX:disabled}} can be used to selectively disable paged result searches. 190 191H2: Example Limit Configurations 192 193H3: Simple Global Limits 194 195This simple global configuration fragment applies size and time limits 196to all searches by all users except {{rootdn}}. It limits searches to 19750 results and sets an overall time limit of 10 seconds. 198 199E: sizelimit 50 200E: timelimit 10 201 202H3: Global Hard and Soft Limits 203 204It is sometimes useful to limit the size of result sets but to allow 205clients to request a higher limit where needed. This can be achieved 206by setting separate hard and soft limits. 207 208E: sizelimit size.soft=5 size.hard=100 209 210To prevent clients from doing very inefficient non-indexed searches, 211add the {{unchecked}} limit: 212 213E: sizelimit size.soft=5 size.hard=100 size.unchecked=100 214 215H3: Giving specific users larger limits 216 217Having set appropriate default limits in the global configuration, 218you may want to give certain users the ability to retrieve larger 219result sets. Here is a way to do that in the per-database configuration: 220 221E: limits dn.exact="cn=anyuser,dc=example,dc=org" size=100000 222E: limits dn.exact="cn=personnel,dc=example,dc=org" size=100000 223E: limits dn.exact="cn=dirsync,dc=example,dc=org" size=100000 224 225It is generally best to avoid mentioning specific users in the server 226configuration. A better way is to give the higher limits to a group: 227 228E: limits group/groupOfNames/member="cn=bigwigs,dc=example,dc=org" size=100000 229 230H3: Limiting who can do paged searches 231 232It may be required that certain applications need very large result sets that 233they retrieve using paged searches, but that you do not want ordinary 234LDAP users to use the pagedResults control. The {{pr}} and {{prtotal}} 235limits can help: 236 237E: limits group/groupOfNames/member="cn=dirsync,dc=example,dc=org" size.prtotal=unlimited 238E: limits users size.soft=5 size.hard=100 size.prtotal=disabled 239E: limits anonymous size.soft=2 size.hard=5 size.prtotal=disabled 240 241H2: Further Information 242 243For further information please see {{slapd.conf}}(5), {{ldapsearch}}(1) and {{slapd.access}}(5) 244 245