PingDirectory

Resource limits

Client connection policies can specify resource limits, helping to ensure that no single client monopolizes server resources.

You can limit the total number of connections to a server from a particular client or from clients that match specified criteria. You can also limit the duration of the connection.

A client connection policy can only be used to enforce additional restrictions on a client connection. You cannot use it to grant a client capabilities that it would not otherwise have.

Any change to any of these new configuration properties only impacts client connections that are assigned to the client connection policy after the change is made. Any connection associated with the client connection policy before the configuration change was made continues to be subject to the configuration that was in place at the time it was associated with that policy.

Resource Limiting Properties
Property Description

maximum-concurrent-connections

Specifies the maximum number of client connections that can be associated with that client connection policy at any given time. The default value of zero indicates that no limit is enforced.

If the server already has the maximum number of connections associated with a client connection policy, then any attempt to associate another connection with that policy, such as newly-established connections or an existing connection that has done something to change its client connection policy, such as perform a bind or StartTLS operation, causes that connection to be terminated.

terminate-connection

Specifies that any client connection for which the client connection policy is selected, such as whether it is a new connection or an existing connection that is assigned to the client connection policy after performing a bind or StartTLS operation, is immediately terminated.

This property can be used to define criteria for connections that you do not want to be allowed to communicate with the PingDirectory server.

maximum-connection-duration

Specifies the maximum length of time that a connection associated with the client connection policy can remain established to the PingDirectory server, regardless of the amount of activity on that connection.

A value of "0 seconds" (default) indicates that no limit is enforced. If a connection associated with the client connection policy has been established for longer than this time, then it is terminated.

maximum-idle-connection-duration

Specifies the maximum length of time that a connection associated with the client connection policy can remain established with the PingDirectory server without any requests in progress.

A value of "0 seconds" (default) indicates that no additional limit is enforced on top of whatever idle time limit might already be in effect for an associated connection. If a nonzero value is provided, then the effective idle time limit for any client connection is the smaller of the maximum-idle-connection-duration from the client connection policy and the idle time limit that would otherwise be in effect for that client.

This property can be used to apply a further restriction on top of any value that might be enforced by the idle-time-limit global configuration property which defines a default idle time limit for client connections, or the ds-rlim-idle-time-limit operational attribute which might be included in a user entry to override the default idle time limit for that user.

maximum-operation-count-per-connection

Specifies the maximum number of operations that a client associated with the client connection policy is allowed to request. A value of zero (default) indicates that no limit is enforced. If a client attempts to request more than this number of operations on the same connection, then that connection will be terminated.

maximum-concurrent-operations-per-connection

Specifies the maximum number of operations that might be active at any time from the same client. This limit only applies to clients that use asynchronous operations with multiple outstanding requests at any given time.

A value of zero (default) indicates that no limit is enforced.

If a client already has the maximum number of outstanding requests in progress and issues a new request, then that request is delayed or rejected based on the value of the maximum-concurrent-operation-wait-time-before-rejecting property.

maximum-concurrent-operation-wait-time-before-rejecting

Specifies the maximum length of time that a client connection should allow an outstanding operation to complete if the maximum number of concurrent operations for a connection are already in progress when a new request is received on that connection.

A value of “0 seconds” (default) indicates that any new requests received while the maximum number of outstanding requests are already in progress for that connection are immediately rejected.

If an outstanding operation completes before this time expires, then the server might be allowed to process that operation. If the time expires, the new request is rejected.

maximum-ldap-join-size-limit

Specifies the maximum number of entries that can be directly joined with any individual search result entry. A value of zero indicates that no LDAP join size limit is enforced. The limit can be overridden on a per-user basis using the ds-rlim-ldap-join-size-limit operational attribute. The LDAP join size limit is also restricted by the search operation size limit. If a search result entry is joined with more entries than allowed, the join result control has a "size limit exceeded" (integer value 4) result code.

allowed-request-control

Specifies the OIDs of the request controls that clients associated with the client connection policy are allowed to use.

If any allowed-request-control OIDs are specified, then any request that includes a control not in that set is rejected. If no allowed-request-control values are specified (default), then any control whose OID is not included in the set of denied-request-control values is allowed.

denied-request-control

Specifies the OIDs of the request controls that clients associated with the client connection policy are not allowed to use. If there are any denied-request-control values, then any request containing a control whose OID is included in that set is rejected.

If there are no denied-request-control values (default), then any request control is allowed if the allowed-request-control property is also empty, or only those controls whose OIDs are included in the set of allowed-request-control values are allowed if at least one allowed-request-control value is provided.

allowed-filter-type

Specifies the types of components that might be used in filters included in search operations with a non-base scope that are requested by clients associated with the client connection policy. Any non-base scoped search request whose filter contains a component not included in this set is rejected. The set of possible filter types include:

  • and

  • or

  • not

  • equality

  • sub-initial

  • sub-any

  • sub-final

  • greater-or-equal

  • less-or-equal

  • approximate-match

  • extensible-match

By default, all filter types are allowed.

No restriction is placed on the types of filters that might be used in searches with a base scope.

allow-unindexed-searches

Specifies whether clients associated with the client connection policy are allowed to request searches that cannot be efficiently processed using the configured set of indexes.

Clients must still have the unindexed-search privilege, so this option does not grant the ability to perform unindexed searches to clients that would not have otherwise had that ability, but it might be used to prevent clients associated with the client connection policy from requesting unindexed searches when they might have otherwise been allowed to do so.

By default, this has a value of "true", indicating that any client associated with the client connection policy that has the unindexed-search privilege is allowed to request unindexed searches.

minimum-substring-length

Specifies the minimum number of bytes, which might be present in any sub- Initial, subAny, or subFinal element of a substring search filter component in a search with a non-baseObject scope. A value of one (which is the default) indicates that no limit is enforced. This property might be used to prevent clients from issuing overly-vague substring searches that might require installing the PingDirectory server to examine too many entries over the course of processing the request.

maximum-search-size-limit

Specifies the maximum number of entries that might be returned from any single search operation requested by a client associated with this client connection policy.

This property only specifies a maximum limit and never increases any limit that might already be in effect for the client thought the size-limit global configuration property or the ds-rlim-size-limit operational attribute.

A value of zero (default) indicates that no additional limit is enforced on top of whatever size limit might already be in effect for an associated connection.

If a nonzero value is provided, then the effective maximum size limit for any search operation requested by the client is the smaller of the size limit from that search request, the maximum-search-size-limit from the client connection policy, and the size limit that would otherwise be in effect for that client.