7.3. Setting Resource Limits Based on the Bind DN

Server limits for search operations are controlled using special operational attribute values on the client application binding to the directory. You can set the following search operation limits:

Look through limit. Specifies how many entries can be examined for a search operation.
Size limit. Specifies the maximum number of entries the server returns to a client application in response to a search operation.
Time limit. Specifies the maximum time the server spends processing a search operation.
Idle timeout. Specifies the time a connection to the server can be idle before the connection is dropped.

The resource limits set for the client application take precedence over the default resource limits set for in the global server configuration.

NOTE

The Directory Manager receives unlimited resources by default.

7.3.1. Setting Resource Limits Using the Console

The following procedure describes setting resource limits for a user or a role using the Directory Server Console:

Select the Directory tab.
Browse the navigation tree in the left navigation pane, and double-click the user or role for which to set resource limits.
The Edit Entry dialog box appears.
Click Account in the left pane. The right pane contains the four limits that can be set in the Resource Limits section.
Entering a value of -1 indicates no limit.
Click OK.

7.3.2. Setting Resource Limits Using the Command-Line

The following operational attributes can be set for each entry using the command-line. Use ldapmodify to add the following attributes to the entry:

Attribute	Description
nsLookThroughLimit	Specifies how many entries are examined for a search operation. Giving this attribute a value of `-1` indicates that there is no limit.
nsSizeLimit	Specifies the maximum number of entries the server returns to a client application in response to a search operation. Giving this attribute a value of `-1` indicates that there is no limit.
nsTimeLimit	Specifies the maximum time the server spends processing a search operation. Giving this attribute a value of `-1` indicates that there is no time limit.
nsIdleTimeout	Specifies the time a connection to the server can be idle before the connection is dropped. The value is given in seconds. Giving this attribute a value of `-1` indicates that there is no limit.

For example, this sets the size limit for Barbara Jensen by using ldapmodify^[6] to modify her entry:

ldapmodify -h myserver -p 389 -D "cn=directory manager" -w secretpwd

dn: uid=bjensen,ou=people,dc=example,dc=com
changetype: modify
add:nsSizeLimit
nsSizeLimit: 500

The ldapmodify statement adds the nsSizeLimit attribute to Babs Jensen's entry and gives it a search return size limit of 500 entries.