--- title: Resource limits description: Client connection policies can specify resource limits, helping to ensure that no single client monopolizes server resources. component: pingdirectory version: 11.0 page_id: pingdirectory:pingdirectory_server_administration_guide:pd_ds_resource_limits canonical_url: https://docs.pingidentity.com/pingdirectory/11.0/pingdirectory_server_administration_guide/pd_ds_resource_limits.html revdate: September 13, 2023 --- # Resource limits Client connection policies can specify resource limits, helping to ensure that no single client monopolizes server resources. You can limit the total number of connections to a server from a particular client or from clients that match specified criteria. You can also limit the duration of the connection. A client connection policy can only be used to enforce additional restrictions on a client connection. You cannot use it to grant a client capabilities that it would not otherwise have. Any change to any of these new configuration properties only impacts client connections that are assigned to the client connection policy after the change is made. Any connection associated with the client connection policy before the configuration change was made continues to be subject to the configuration that was in place at the time it was associated with that policy. **Resource Limiting Properties** | Property | Description | | --------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | `maximum-concurrent-connections` | Specifies the maximum number of client connections that can be associated with that client connection policy at any given time. The default value of zero indicates that no limit is enforced.If the server already has the maximum number of connections associated with a client connection policy, then any attempt to associate another connection with that policy, such as newly-established connections or an existing connection that has done something to change its client connection policy, such as perform a bind or StartTLS operation, causes that connection to be terminated. | | `terminate-connection` | Specifies that any client connection for which the client connection policy is selected, such as whether it is a new connection or an existing connection that is assigned to the client connection policy after performing a bind or StartTLS operation, is immediately terminated.This property can be used to define criteria for connections that you do not want to be allowed to communicate with the PingDirectory server. | | `maximum-connection-duration` | Specifies the maximum length of time that a connection associated with the client connection policy can remain established to the PingDirectory server, regardless of the amount of activity on that connection.A value of "0 seconds" (default) indicates that no limit is enforced. If a connection associated with the client connection policy has been established for longer than this time, then it is terminated. | | `maximum-idle-connection-duration` | Specifies the maximum length of time that a connection associated with the client connection policy can remain established with the PingDirectory server without any requests in progress.A value of "0 seconds" (default) indicates that no additional limit is enforced on top of whatever idle time limit might already be in effect for an associated connection. If a nonzero value is provided, then the effective idle time limit for any client connection is the smaller of the `maximum-idle-connection-duration` from the client connection policy and the idle time limit that would otherwise be in effect for that client.This property can be used to apply a further restriction on top of any value that might be enforced by the `idle-time-limit` global configuration property which defines a default idle time limit for client connections, or the `ds-rlim-idle-time-limit` operational attribute which might be included in a user entry to override the default idle time limit for that user. | | `maximum-operation-count-per-connection` | Specifies the maximum number of operations that a client associated with the client connection policy is allowed to request. A value of zero (default) indicates that no limit is enforced. If a client attempts to request more than this number of operations on the same connection, then that connection will be terminated. | | `maximum-concurrent-operations-per-connection` | Specifies the maximum number of operations that might be active at any time from the same client. This limit only applies to clients that use asynchronous operations with multiple outstanding requests at any given time.A value of zero (default) indicates that no limit is enforced.If a client already has the maximum number of outstanding requests in progress and issues a new request, then that request is delayed or rejected based on the value of the `maximum-concurrent-operation-wait-time-before-rejecting` property. | | `maximum-concurrent-operation-wait-time-before-rejecting` | Specifies the maximum length of time that a client connection should allow an outstanding operation to complete if the maximum number of concurrent operations for a connection are already in progress when a new request is received on that connection.A value of "0 seconds" (default) indicates that any new requests received while the maximum number of outstanding requests are already in progress for that connection are immediately rejected.If an outstanding operation completes before this time expires, then the server might be allowed to process that operation. If the time expires, the new request is rejected. | | `maximum-ldap-join-size-limit` | Specifies the maximum number of entries that can be directly joined with any individual search result entry. A value of zero indicates that no LDAP join size limit is enforced. The limit can be overridden on a per-user basis using the `ds-rlim-ldap-join-size-limit` operational attribute. The LDAP join size limit is also restricted by the search operation size limit. If a search result entry is joined with more entries than allowed, the join result control has a "size limit exceeded" (integer value 4) result code. | | `allowed-request-control` | Specifies the OIDs of the request controls that clients associated with the client connection policy are allowed to use.If any allowed-request-control OIDs are specified, then any request that includes a control not in that set is rejected. If no `allowed-request-control` values are specified (default), then any control whose OID is not included in the set of denied-request-control values is allowed. | | `denied-request-control` | Specifies the OIDs of the request controls that clients associated with the client connection policy are not allowed to use. If there are any `denied-request-control` values, then any request containing a control whose OID is included in that set is rejected.If there are no `denied-request-control` values (default), then any request control is allowed if the `allowed-request-control` property is also empty, or only those controls whose OIDs are included in the set of `allowed-request-control` values are allowed if at least one `allowed-request-control` value is provided. | | `allowed-filter-type` | Specifies the types of components that might be used in filters included in search operations with a non-base scope that are requested by clients associated with the client connection policy. Any non-base scoped search request whose filter contains a component not included in this set is rejected. The set of possible filter types include:- and - or - not - equality - sub-initial - sub-any - sub-final - greater-or-equal - less-or-equal - approximate-match - extensible-matchBy default, all filter types are allowed. No restriction is placed on the types of filters that might be used in searches with a base scope. | | `allow-unindexed-searches` | Specifies whether clients associated with the client connection policy are allowed to request searches that cannot be efficiently processed using the configured set of indexes. Clients must still have the unindexed-search privilege, so this option does not grant the ability to perform unindexed searches to clients that would not have otherwise had that ability, but it might be used to prevent clients associated with the client connection policy from requesting unindexed searches when they might have otherwise been allowed to do so.By default, this has a value of "true", indicating that any client associated with the client connection policy that has the `unindexed-search` privilege is allowed to request unindexed searches. | | `minimum-substring-length` | Specifies the minimum number of bytes, which might be present in any sub- Initial, subAny, or subFinal element of a substring search filter component in a search with a non-baseObject scope. A value of one (which is the default) indicates that no limit is enforced. This property might be used to prevent clients from issuing overly-vague substring searches that might require installing the PingDirectory server to examine too many entries over the course of processing the request. | | `maximum-search-size-limit` | Specifies the maximum number of entries that might be returned from any single search operation requested by a client associated with this client connection policy. This property only specifies a maximum limit and never increases any limit that might already be in effect for the client thought the size-limit global configuration property or the ds-rlim-size-limit operational attribute.A value of zero (default) indicates that no additional limit is enforced on top of whatever size limit might already be in effect for an associated connection.If a nonzero value is provided, then the effective maximum size limit for any search operation requested by the client is the smaller of the size limit from that search request, the `maximum-search-size-limit` from the client connection policy, and the size limit that would otherwise be in effect for that client. |