PingDirectory

Defining resource limits in client connection policies

Use client connection policies to impose hard upper bounds on the values of some resource limit properties.

If the client connection policy is configured with a resource limit that is lower than the limit that would otherwise be imposed for the associated client, then the client connection policy’s lower limit is enforced (even for root accounts and other types of administrative accounts). However, the client connection policy never grants a client a higher limit than it would otherwise have.

The client connection policy properties that are used to define resource limits include the following.

Property Description

maximum-concurrent-connections

The maximum number of client connections that can be associated with the client connection policy at any one time. If the maximum number of connections are already associated with the policy, any attempt to assign another connection to the policy causes that connection to be terminated. A value of zero (which is the default) indicates that no limit is enforced.

maximum-connection-duration

The maximum length of time that connections associated with the policy can be established, regardless of how active those connections are. Any connection that is established for longer than this period of time will be terminated. A value of zero seconds (which is the default) indicates that no maximum connection duration is enforced.

maximum-idle-connection-duration

The maximum length of time that connections associated with the policy are allowed to remain idle (without issuing any new requests). Any client connection that is idle for longer than this period of time is terminated. A value of zero seconds (which is the default) indicates that no maximum idle connection duration is enforced.

maximum-operation-count-per-connection

The maximum number of requests that connections associated with the policy are allowed to request over the life of that connection. After a connection has already requested the maximum number of operations, if it attempts to request any other operations, then that connection is terminated. A value of zero (which is the default) indicates that no maximum operation count is enforced.

maximum-concurrent-operations-per-connection

The maximum number of operations that a client associated with the policy can request at any one time. After the maximum number of concurrent operations are already active for a connection, then any new requests can optionally block for a period of time (specified by the maximum-concurrent-operation-wait-time-before-rejecting property) to see if any of the outstanding operations complete. At that point, the request can be rejected or the connection can be terminated based on the value of the maximum-concurrent-operations-per-connection-exceeded-behavior property. By default, no maximum concurrent operation limit is imposed.

maximum-connection-operation-rate

The maximum rate at which a client can issue requests. If provided, then the value should be provided as a count followed by a slash and a time duration (for example, 100/s indicates a maximum rate of one hundred requests per second, while 10K/6h indicates a maximum rate of 10,000 requests over a six-hour period). If any connection exceeds this rate, subsequent requests within that time period can be rejected or the connection can be terminated, as controlled by the connection-operation-rate-exceeded-behavior property. By default, no maximum connection operation rate is enforced.

maximum-policy-operation-rate

The maximum rate at which all clients associated with the client connection policy can issue requests. If provided, then the value should be provided as a count followed by a slash and a time duration. If the maximum policy operation rate is exceeded, then subsequent requests within that time period can be rejected or the connection can be terminated, as controlled by the policy-operation-rate-exceeded-behavior property. By default, no maximum connection operation rate is enforced.

maximum-search-size-limit

The maximum number of entries that can be returned in response to any single search operation for clients associated with the client connection policy. A value of zero (which is the default) indicates that the policy does not impose a maximum size limit for client connections, and they are subject to whatever limit is in place through the global configuration or operational attributes in the authenticated user’s entry.

maximum-search-time-limit

The maximum length of time that the server can spend processing any single search operation for clients associated with the client connection policy. A value of zero seconds (which is the default) indicates that the policy does not impose a maximum time limit for client connections, and they are subject to whatever limit is in place through the global configuration or operational attributes in the authenticated user’s entry.

maximum-search-lookthrough-limit

The maximum number of entries that the server can examine when processing any single search operation for clients associated with the client connection policy. A value of zero (which is the default) indicates that the policy does not impose a maximum lookthrough limit for client connections, and they aer subject to whatever limit is in place through the global configuration or operational attributes in the authenticated user’s entry.

maximum-ldap-join-size-limit

The maximum LDAP join size limit that is enforced for clients associated with the client connection policy. A value of zero (which is the default) indicates that the policy does not impose a maximum join size limit for client connections, and they are subject to whatever limit is in place through the global configuration or operational attributes in the authenticated user’s entry.

maximum-sort-size-limit-without-vlv-index

The maximum number of entries that the server attempts to sort without the benefit of a VLV index. If the client issues a search request that includes the server-side sort control and matches more than this number of entries, then the server either returns the results in unsorted form (if the sort request control is not marked critical), or it rejects the search (if the control is critical). A value of zero (which is the default) indicates that no limit should be enforced.