PingDS 7.5.1

Enforce limits

Enforce application and user limits to protect against a denial of service.

Description

Estimated time to complete: 20 minutes

DS has many settings to prevent client applications from using more than their share of directory resources.

Don’t disable global limit settings.

Lift restrictions for specific trusted client applications, accounts, or groups.

Goals

In completing this use case, you learn:

  • The DS alternatives for enforcing limits.

  • How to change limits.

  • The result codes when an application exceeds a limit.

Example scenario

As a directory service administrator, Pat knows directory services are critical for identity applications.

To prevent performance problems and denial of service, Pat wants to restrict what a misbehaving client can do. Pat also wants to make it easy for applications and users to take advantage of directory services.

Pat knows DS offers many options to set limits and aims to review them in light of the directory service requirements.

Prerequisites

Knowledge

Before you start:

  • Make sure you are familiar with working with the command line on your operating system.

  • If you’re new to directory services, work through the examples to learn LDAP.

Actions

Before you try the sample commands, install a DS server in evaluation mode.

Tasks

Task 1: Review enforceable limits

The following tables list available options for enforcing limits. To change limits for:

  • A single ldapsearch command, use the size or time limit options.

  • An application, user or group of accounts, set operational attributes.

  • A DS server, update configuration settings with the dsconfig command.

ldapsearch options
Limit Option to use

Size limit

ldapsearch --sizeLimit <number>

Time limit

ldapsearch --timeLimit <number-of-seconds>

Operational attributes
Attribute What it overrides

ds-rlim-idle-time-limit: <number-of-seconds>

How long an idle connection remains open.

ds-rlim-size-limit: <number>

The maximum number of entries returned for a search.

ds-rlim-time-limit: <number-of-seconds>

The maximum processing time for a search operation.

Request limit settings
Setting Scope Description

Connection handler1

The maximum size request this connection handler allows.

When client applications add groups with large numbers of members, for example, requests can exceed the default limit.

This setting affects only the size of requests, not responses.

Default: 5 megabytes

1 HTTP and LDAP connection handlers have this setting.

Connection limits1
Setting Scope Description

Global,
Connection handler2

The client applications that DS accepts connections from identified by hostname or IP address.

Default: not set

Global,
Connection handler2

The client applications that DS refuses connections from identified by hostname or IP address.

Default: not set

Global

The maximum number of seconds a client connection may remain established since its last completed operation.

If the network drops idle connections, set this to a lower value than the idle time limit for the network. This is particularly useful when networks drop idle connections without notification and without closing the connection. It ensures DS shuts down idle connections in an orderly fashion.

DS servers do not enforce idle timeout settings for persistent searches.

Default: 0 (seconds), meaning no limit

Global

The total number of concurrent client connections DS accepts.

Each connection uses memory. On Linux systems, each connection uses a file descriptor.

Default:`0`, meaning no limit

Global,
Connection handler2

The client applications DS limits to restricted-client-connection-limit connections.

Default: not set

Global,
Connection handler2

The maximum number of concurrent connections for specified clients.

Default: 100 (connections)

1 DS applies the settings in this order:

  1. If the denied-client property is set, DS denies connections from any client matching the settings.

  2. If the restricted-client property is set, DS counts the connections from any client matching the settings.

    If a matching client exceeds restricted-client-connection-limit connections, DS refuses additional connections.

  3. If the allowed-client property is set, DS lets any client matching the settings connect.

  4. If the limits are not set, DS lets any client connect.

2 The settings on a connection handler override the global settings.

Search limit settings
Setting Scope Description

Global

The maximum number of concurrent persistent searches.

Default: -1, meaning no limit

Global

The maximum number of entries returned for a single search.

Default: 1000 (entries)

Global

The maximum number of seconds to process a single search.

Default: 0 (seconds), meaning no limit

Task 2: Override account limits

  1. Give an administrator access to update the operational attributes:

    $ ldapmodify \
     --hostname localhost \
     --port 1636 \
     --useSsl \
     --usePkcs12TrustStore /path/to/opendj/config/keystore \
     --trustStorePassword:file /path/to/opendj/config/keystore.pin \
     --bindDN uid=admin \
     --bindPassword password << EOF
    dn: ou=People,dc=example,dc=com
    changetype: modify
    add: aci
    aci: (targetattr = "ds-rlim-time-limit||ds-rlim-size-limit")
     (version 3.0;acl "Allow Kirsten Vaughan to manage search limits";
     allow (all) (userdn = "ldap:///uid=kvaughan,ou=People,dc=example,dc=com");)
    EOF
  2. Override the limits for a single entry:

    $ ldapmodify \
     --hostname localhost \
     --port 1636 \
     --useSsl \
     --usePkcs12TrustStore /path/to/opendj/config/keystore \
     --trustStorePassword:file /path/to/opendj/config/keystore.pin \
     --bindDN uid=kvaughan,ou=people,dc=example,dc=com \
     --bindPassword bribery << EOF
    dn: uid=bjensen,ou=People,dc=example,dc=com
    changetype: modify
    add: ds-rlim-size-limit
    ds-rlim-size-limit: 10
    EOF

    When Babs Jensen performs an indexed search returning more than 10 entries, she reads the following message:

    $ ldapsearch \
     --hostname localhost \
     --port 1636 \
     --useSsl \
     --usePkcs12TrustStore /path/to/opendj/config/keystore \
     --trustStorePassword:file /path/to/opendj/config/keystore.pin \
     --bindDN uid=bjensen,ou=people,dc=example,dc=com \
     --bindPassword hifalutin \
     --baseDN dc=example,dc=com \
     "(sn=jensen)"
    
    # The LDAP search request failed: 4 (Size Limit Exceeded)
    # Additional Information:  This search operation has sent the maximum of 10 entries to the client

Task 2: Override group limits

  1. Give an administrator the privilege to write subentries:

    $ ldapmodify \
     --hostname localhost \
     --port 1636 \
     --useSsl \
     --usePkcs12TrustStore /path/to/opendj/config/keystore \
     --trustStorePassword:file /path/to/opendj/config/keystore.pin \
     --bindDN uid=admin \
     --bindPassword password << EOF
    dn: uid=kvaughan,ou=People,dc=example,dc=com
    changetype: modify
    add: ds-privilege-name
    ds-privilege-name: subentry-write
    EOF

    Notice here that the directory superuser, uid=admin, assigns privileges. Any administrator with the privilege-change privilege can assign privileges. However, if the administrator can update administrator privileges, they can assign themselves the bypass-acl privilege. Then they are no longer bound by access control instructions, including both user data ACIs and global ACIs. For this reason, do not assign the privilege-change privilege to normal administrator users.

  2. Create an LDAP subentry to override the limits with collective attributes:

    $ ldapmodify \
     --hostname localhost \
     --port 1636 \
     --useSsl \
     --usePkcs12TrustStore /path/to/opendj/config/keystore \
     --trustStorePassword:file /path/to/opendj/config/keystore.pin \
     --bindDN uid=kvaughan,ou=people,dc=example,dc=com \
     --bindPassword bribery << EOF
    dn: cn=Remove Administrator Search Limits,dc=example,dc=com
    objectClass: collectiveAttributeSubentry
    objectClass: extensibleObject
    objectClass: subentry
    objectClass: top
    cn: Remove Administrator Search Limits
    ds-rlim-size-limit;collective: 0
    ds-rlim-time-limit;collective: 0
    subtreeSpecification: {base "ou=people", specificationFilter
      "(isMemberOf=cn=Directory Administrators,ou=Groups,dc=example,dc=com)" }
    EOF

    The base entry identifies the branch with administrator entries. For details on how subentries apply, refer to About subentry scope.

  3. Show an administrator account has limits set to 0 (no limit):

    $ ldapsearch \
     --hostname localhost \
     --port 1636 \
     --useSsl \
     --usePkcs12TrustStore /path/to/opendj/config/keystore \
     --trustStorePassword:file /path/to/opendj/config/keystore.pin \
     --bindDN uid=kvaughan,ou=people,dc=example,dc=com \
     --bindPassword bribery \
     --baseDN uid=kvaughan,ou=people,dc=example,dc=com \
     --searchScope base \
     "(&)" \
     ds-rlim-time-limit ds-rlim-size-limit
    
    dn: uid=kvaughan,ou=People,dc=example,dc=com
    ds-rlim-size-limit: 0
    ds-rlim-time-limit: 0

Task 3: Limit persistent searches

An LDAP persistent search maintains an open connection until the client application ends the search. Whenever a modification changes data in the search scope, DS returns a search result. The more concurrent persistent searches, the more work the server has to do for each modification:

Set the global property max-psearches to limit total concurrent persistent searches.

The following command sets a maximum of 30 persistent searches:

$ dsconfig \
 set-global-configuration-prop \
 --hostname localhost \
 --port 4444 \
 --bindDN uid=admin \
 --bindPassword password \
 --set max-psearches:30 \
 --usePkcs12TrustStore /path/to/opendj/config/keystore \
 --trustStorePassword:file /path/to/opendj/config/keystore.pin \
 --no-prompt

Task 4: Limit connections

  • Limit the total concurrent connections DS accepts.

    The following command sets the limit to 64K (the minimum number of file descriptors to make available to DS on a Linux system):

    $ dsconfig \
     set-global-configuration-prop \
     --hostname localhost \
     --port 4444 \
     --bindDN uid=admin \
     --bindPassword password \
     --set max-allowed-client-connections:65536 \
     --usePkcs12TrustStore /path/to/opendj/config/keystore \
     --trustStorePassword:file /path/to/opendj/config/keystore.pin \
     --no-prompt
  • Set an idle timeout of 24 hours:

    $ dsconfig \
     set-global-configuration-prop \
     --hostname localhost \
     --port 4444 \
     --bindDN uid=admin \
     --bindPassword password \
     --set idle-time-limit:24h \
     --usePkcs12TrustStore /path/to/opendj/config/keystore \
     --trustStorePassword:file /path/to/opendj/config/keystore.pin \
     --no-prompt
  • Limit access to clients in the example.com domain:

    $ dsconfig \
     set-global-configuration-prop \
     --hostname localhost \
     --port 4444 \
     --bindDN uid=admin \
     --bindPassword password \
     --set allowed-client:example.com \
     --usePkcs12TrustStore /path/to/opendj/config/keystore \
     --trustStorePassword:file /path/to/opendj/config/keystore.pin \
     --no-prompt
  • Limit clients on the 10.0.0.* network to 1000 concurrent connections each:

    $ dsconfig \
     set-global-configuration-prop \
     --hostname localhost \
     --port 4444 \
     --bindDN uid=admin \
     --bindPassword password \
     --set restricted-client:"10.0.0.*" \
     --set restricted-client-connection-limit:1000 \
     --usePkcs12TrustStore /path/to/opendj/config/keystore \
     --trustStorePassword:file /path/to/opendj/config/keystore.pin \
     --no-prompt

Task 5: Permit large requests

The following command increases the limit to 20 MB for the LDAP connection handler. This lets client applications add large static group entries, for example:

$ dsconfig \
 set-connection-handler-prop \
 --hostname localhost \
 --port 4444 \
 --bindDN uid=admin \
 --bindPassword password \
 --handler-name LDAP \
 --set max-request-size:20mb \
 --usePkcs12TrustStore /path/to/opendj/config/keystore \
 --trustStorePassword:file /path/to/opendj/config/keystore.pin \
 --no-prompt

Result codes

When an LDAP application exceeds a limit, DS responds with the appropriate result code:

  • 3: Time Limit Exceeded when the request took too long to process.

  • 4: Size Limit Exceeded when the request returned too many entries.

  • 11: Administrative Limit Exceeded when the request exceeded a limit imposed by one of the other settings.

Refer to any additional information DS returns with the result to determine what action to take.