PingDirectory

Defining resource limits in operational attributes

Although the global configuration defines default values for several resource limits, it is possible to override those default values on a per-user basis by adding an appropriate set of operational attributes to the user’s entry.

Resource limits set through operational attributes can grant a user a higher limit than is available by default in the global configuration, or it can impose a lower limit than would otherwise be permitted by default.

These operational attributes include:

Attribute Description

ds-rlim-size-limit

The maximum number of entries that the user is allowed to retrieve in any single search operation. A value of zero indicates that no size limit is enforced for the user. If this attribute is present in a user’s entry, then it overrides the default size-limit value from the global configuration.

ds-rlim-time-limit

The maximum length of time in seconds that the server is allowed to spend processing any single search operation for the user. A value of zero indicates that no time limit is enforced for the user. If this attribute is present in a user’s entry, then it overrides the default time-limit value from the global configuration.

ds-rlim-lookthrough-limit

The maximum number of entries that the server is allowed to examine while processing any single search operation for the user. A value of zero indicates that no lookthrough limit is enforced for the user. If this attribute is present in a user’s entry, then it overrides the default lookthrough-limit value from the global configuration.

ds-rlim-idle-time-limit

The maximum length of time in seconds that the user is allowed to have an idle connection (one in which no operations in progress) established. A value of zero indicates that no idle time limit is enforced for the user. If this attribute is present in a user’s entry, then it overrides the default idle-time-limit value from the global configuration.

ds-rlim-ldap-join-size-limit

The maximum number of entries that are joined with any single search result entry when processing a search request that includes the LDAP join request control. A value of zero indicates that no LDAP join size limit is enforced for the user. If this attribute is present in the user’s entry, then it overrides the default ldap-join-size-limit from the global configuration.

Each of these attributes can be explicitly set in the entries for users that should have a value that is different from the corresponding property in the global configuration. You can also use virtual attributes to dynamically assign values for these attributes using criteria like the location or content of the user’s entry or the groups in which that user is a member or the client connection policy to which they are assigned.