--- title: Enforce limits description: Enforce application and user limits to protect against a denial of service. component: pingds version: 8.1 page_id: pingds:use-cases:limits canonical_url: https://docs.pingidentity.com/pingds/8.1/use-cases/limits.html revdate: 2025-10-22T14:42:39Z keywords: ["Features", "LDAP", "Setup & Configuration", "Use Case"] page_aliases: ["maintenance-guide:resource-limits.adoc"] section_ids: description: Description goals: Goals example_scenario: Example scenario prerequisites: Prerequisites knowledge: Knowledge actions: Actions tasks: Tasks task_1_review_enforceable_limits: "Task 1: Review enforceable limits" limits-account: "Task 2: Override account limits" limits-group: "Task 2: Override group limits" limits-psearch: "Task 3: Limit persistent searches" limit-connections: "Task 4: Limit connections" limits-max-request: "Task 5: Permit large requests" result_codes: Result codes --- # Enforce limits Enforce application and user limits to protect against a denial of service. ## Description Estimated time to complete: 20 minutes *(tooltip: This assumes you complete the prerequisites beforehand.)* DS has many settings to prevent client applications from using more than their share of directory resources. | | | | - | -------------------------------------------------------------------------------------------------------------------- | | | Don't disable global limit settings.Lift restrictions for specific trusted client applications, accounts, or groups. | ## Goals In completing this use case, you learn: * The DS alternatives for enforcing limits. * How to change limits. * The result codes when an application exceeds a limit. ## Example scenario As a directory service administrator, Pat knows directory services are critical for identity applications. To prevent performance problems and denial of service, Pat wants to restrict what a misbehaving client can do. Pat also wants to make it easy for applications and users to take advantage of directory services. Pat knows DS offers many options to set limits and aims to review them in light of the directory service requirements. ## Prerequisites ### Knowledge Before you start: * Make sure you are familiar with working with the command line on your operating system. * If you're new to directory services, work through the [examples to learn LDAP](../getting-started/ldap.html). ### Actions Before you try the sample commands, install a DS server [in evaluation mode](../getting-started/install.html). ## Tasks ### Task 1: Review enforceable limits The following tables list available options for enforcing limits. To change limits for: * A single `ldapsearch` command, use the size or time limit [options](#limits-search-options). * An application, user or group of accounts, set [operational attributes](#limits-per-entry). * A DS server, update configuration settings with the `dsconfig` command. **ldapsearch options** | Limit | Option to use | | ---------- | -------------------------------------------- | | Size limit | `ldapsearch --sizeLimit ` | | Time limit | `ldapsearch --timeLimit ` | **Operational attributes** | Attribute | What it overrides | | ------------------------------------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `ds-rlim-idle-time-limit: ` | How long an idle connection remains open. | | `ds-rlim-lookthrough-limit: ` | The maximum number of records to look through when processing a search request.This limit approximates the computational cost of processing a search request. Its value reflects the number of *records* to look through, which can be up to double the number of entries. | | `ds-rlim-size-limit: ` | The maximum number of entries returned for a search. | | `ds-rlim-time-limit: ` | The maximum processing time for a search operation. | **Request limit settings** | Setting | Scope | Description | | -------------------------------------------------------------------------------------- | ------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | [max-request-size](../configref/objects-ldap-connection-handler.html#max-request-size) | Connection handler1 | The maximum size request this connection handler allows.When client applications add groups with large numbers of members, for example, requests can exceed the default limit.This setting affects only the size of requests, not responses.Default: 5 megabytes | 1 HTTP and LDAP connection handlers have this setting. **Connection limits1** | Setting | Scope | Description | | --------------------------------------------------------------------------------------------------------- | --------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | [allowed-client](../configref/objects-global.html#allowed-client) | Global, Connection handler2 | The client applications that DS accepts connections from identified by hostname or IP address.Default: not set | | [denied-client](../configref/objects-global.html#denied-client) | Global, Connection handler2 | The client applications that DS refuses connections from identified by hostname or IP address.Default: not set | | [idle-time-limit](../configref/objects-global.html#idle-time-limit) | Global | The maximum number of seconds a client connection may remain established since its last completed operation.If the network drops idle connections, set this to a lower value than the idle time limit for the network. This is particularly useful when networks drop idle connections without notification and without closing the connection. It ensures DS shuts down idle connections in an orderly fashion.DS servers do not enforce idle timeout settings for persistent searches.Default: `0` (seconds), meaning no limit | | [max-allowed-client-connections](../configref/objects-global.html#max-allowed-client-connections) | Global | The total number of concurrent client connections DS accepts.Each connection uses memory. On Linux systems, each connection uses a file descriptor.Default:\`0\`, meaning no limit | | [restricted-client](../configref/objects-global.html#restricted-client) | Global, Connection handler2 | The client applications DS limits to `restricted-client-connection-limit` connections.Default: not set | | [restricted-client-connection-limit](../configref/objects-global.html#restricted-client-connection-limit) | Global, Connection handler2 | The maximum number of concurrent connections for specified clients.Default: `100` (connections) | 1 DS applies the settings in this order: 1. If the `denied-client` property is set, DS denies connections from any client matching the settings. 2. If the `restricted-client` property is set, DS counts the connections from any client matching the settings. If a matching client exceeds `restricted-client-connection-limit` connections, DS refuses additional connections. 3. If the `allowed-client` property is set, DS lets any client matching the settings connect. 4. If the limits are not set, DS lets any client connect. 2 The settings on a connection handler override the global settings. **Search limit settings** | Setting | Scope | Description | | ----------------------------------------------------------------------- | ------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | [max-psearches](../configref/objects-global.html#max-psearches) | Global | The maximum number of concurrent persistent searches.Default: `-1`, meaning no limit | | [lookthrough-limit](../configref/objects-global.html#lookthrough-limit) | Global | The maximum number of records to look through when processing a search request.This limit approximates the computational cost of processing a search request. Its value reflects the number of *records* to look through, which can be up to double the number of entries.Default: `0` (records), meaning no limit | | [size-limit](../configref/objects-global.html#size-limit) | Global | The maximum number of entries returned for a single search.Default: `1000` (entries) | | [time-limit](../configref/objects-global.html#time-limit) | Global | The maximum number of seconds to process a single search.Default: `0` (seconds), meaning no limit | ### Task 2: Override account limits 1. Give an administrator access to update the operational attributes: ```console $ ldapmodify \ --hostname localhost \ --port 1636 \ --useSsl \ --trustStorePath /path/to/opendj/config/keystore \ --trustStoreType PKCS12 \ --trustStorePassword:file /path/to/opendj/config/keystore.pin \ --bindDN uid=admin \ --bindPassword password << EOF dn: ou=People,dc=example,dc=com changetype: modify add: aci aci: (targetattr = "ds-rlim-lookthrough-limit||ds-rlim-time-limit||ds-rlim-size-limit") (version 3.0;acl "Allow Kirsten Vaughan to manage search limits"; allow (all) (userdn = "ldap:///uid=kvaughan,ou=People,dc=example,dc=com");) EOF ``` 2. Override the limits for a single entry: ```console $ ldapmodify \ --hostname localhost \ --port 1636 \ --useSsl \ --trustStorePath /path/to/opendj/config/keystore \ --trustStoreType PKCS12 \ --trustStorePassword:file /path/to/opendj/config/keystore.pin \ --bindDN uid=kvaughan,ou=people,dc=example,dc=com \ --bindPassword bribery << EOF dn: uid=bjensen,ou=People,dc=example,dc=com changetype: modify add: ds-rlim-size-limit ds-rlim-size-limit: 10 EOF ``` When Babs Jensen performs an indexed search returning more than 10 entries, she reads the following message: ```console $ ldapsearch \ --hostname localhost \ --port 1636 \ --useSsl \ --trustStorePath /path/to/opendj/config/keystore \ --trustStoreType PKCS12 \ --trustStorePassword:file /path/to/opendj/config/keystore.pin \ --bindDN uid=bjensen,ou=people,dc=example,dc=com \ --bindPassword hifalutin \ --baseDN dc=example,dc=com \ "(sn=jensen)" ``` > **Collapse: Show output** > > ``` > # The LDAP search request failed: 4 (Size Limit Exceeded) > # Additional Information: This search operation has sent the maximum of 10 entries to the client > ``` ### Task 2: Override group limits 1. Give an administrator the privilege to write subentries: ```console $ ldapmodify \ --hostname localhost \ --port 1636 \ --useSsl \ --trustStorePath /path/to/opendj/config/keystore \ --trustStoreType PKCS12 \ --trustStorePassword:file /path/to/opendj/config/keystore.pin \ --bindDN uid=admin \ --bindPassword password << EOF dn: uid=kvaughan,ou=People,dc=example,dc=com changetype: modify add: ds-privilege-name ds-privilege-name: subentry-write EOF ``` Notice here that the directory superuser, `uid=admin`, assigns privileges. Any administrator with the `privilege-change` privilege can assign privileges. However, if the administrator can update administrator privileges, they can assign themselves the `bypass-acl` privilege. Then they are no longer bound by access control instructions, including both user data ACIs and global ACIs. For this reason, do not assign the `privilege-change` privilege to normal administrator users. 2. Create an LDAP subentry to override the limits with collective attributes: ```console $ ldapmodify \ --hostname localhost \ --port 1636 \ --useSsl \ --trustStorePath /path/to/opendj/config/keystore \ --trustStoreType PKCS12 \ --trustStorePassword:file /path/to/opendj/config/keystore.pin \ --bindDN uid=kvaughan,ou=people,dc=example,dc=com \ --bindPassword bribery << EOF dn: cn=Remove Administrator Search Limits,dc=example,dc=com objectClass: collectiveAttributeSubentry objectClass: extensibleObject objectClass: subentry objectClass: top cn: Remove Administrator Search Limits ds-rlim-lookthrough-limit;collective: 0 ds-rlim-size-limit;collective: 0 ds-rlim-time-limit;collective: 0 subtreeSpecification: {base "ou=people", specificationFilter "(isMemberOf=cn=Directory Administrators,ou=Groups,dc=example,dc=com)" } EOF ``` The `base` entry identifies the branch with administrator entries. For details on how subentries apply, refer to [About subentry scope](../config-guide/collective-attrs.html#subentry-scope). 3. Show an administrator account has limits set to `0` (no limit): ```console $ ldapsearch \ --hostname localhost \ --port 1636 \ --useSsl \ --trustStorePath /path/to/opendj/config/keystore \ --trustStoreType PKCS12 \ --trustStorePassword:file /path/to/opendj/config/keystore.pin \ --bindDN uid=kvaughan,ou=people,dc=example,dc=com \ --bindPassword bribery \ --baseDN uid=kvaughan,ou=people,dc=example,dc=com \ --searchScope base \ "(&)" \ ds-rlim-lookthrough-limit ds-rlim-size-limit ds-rlim-time-limit ``` > **Collapse: Show output** > > ``` > dn: uid=kvaughan,ou=People,dc=example,dc=com > ds-rlim-lookthrough-limit: 0 > ds-rlim-size-limit: 0 > ds-rlim-time-limit: 0 > ``` ### Task 3: Limit persistent searches An LDAP persistent search maintains an open connection until the client application ends the search. Whenever a modification changes data in the search scope, DS returns a search result. The more concurrent persistent searches, the more work the server has to do for each modification. The global property `max-psearches` sets a default limit of 100 total concurrent persistent searches. By default, the global property `max-psearches-policy` is set to `warn`. When it reaches the limit, DS accepts the incoming persistent search request and logs a warning message to the error log. The following command lowers the limit to 30 persistent searches: ```console $ dsconfig \ set-global-configuration-prop \ --hostname localhost \ --port 4444 \ --bindDN uid=admin \ --bindPassword password \ --set max-psearches:30 \ --trustStorePath /path/to/opendj/config/keystore \ --trustStoreType PKCS12 \ --trustStorePassword:file /path/to/opendj/config/keystore.pin \ --no-prompt ``` If you set `max-psearches-policy: reject`, when it reaches the limit set by `max-psearches`, DS rejects incoming persistent search requests. ### Task 4: Limit connections * Limit the total concurrent connections DS accepts. The following command sets the limit to 64K (the minimum number of file descriptors to make available to DS on a Linux system): ```console $ dsconfig \ set-global-configuration-prop \ --hostname localhost \ --port 4444 \ --bindDN uid=admin \ --bindPassword password \ --set max-allowed-client-connections:65536 \ --trustStorePath /path/to/opendj/config/keystore \ --trustStoreType PKCS12 \ --trustStorePassword:file /path/to/opendj/config/keystore.pin \ --no-prompt ``` * Set an idle timeout of 24 hours: ```console $ dsconfig \ set-global-configuration-prop \ --hostname localhost \ --port 4444 \ --bindDN uid=admin \ --bindPassword password \ --set idle-time-limit:24h \ --trustStorePath /path/to/opendj/config/keystore \ --trustStoreType PKCS12 \ --trustStorePassword:file /path/to/opendj/config/keystore.pin \ --no-prompt ``` * Limit access to clients in the `example.com` domain: ```console $ dsconfig \ set-global-configuration-prop \ --hostname localhost \ --port 4444 \ --bindDN uid=admin \ --bindPassword password \ --set allowed-client:example.com \ --trustStorePath /path/to/opendj/config/keystore \ --trustStoreType PKCS12 \ --trustStorePassword:file /path/to/opendj/config/keystore.pin \ --no-prompt ``` * Limit clients on the `10.0.0.*` network to 1000 concurrent connections each: ```console $ dsconfig \ set-global-configuration-prop \ --hostname localhost \ --port 4444 \ --bindDN uid=admin \ --bindPassword password \ --set restricted-client:"10.0.0.*" \ --set restricted-client-connection-limit:1000 \ --trustStorePath /path/to/opendj/config/keystore \ --trustStoreType PKCS12 \ --trustStorePassword:file /path/to/opendj/config/keystore.pin \ --no-prompt ``` ### Task 5: Permit large requests The following command increases the limit to 20 MB for the LDAP connection handler. This lets client applications add large static group entries, for example: ```console $ dsconfig \ set-connection-handler-prop \ --hostname localhost \ --port 4444 \ --bindDN uid=admin \ --bindPassword password \ --handler-name LDAP \ --set max-request-size:20mb \ --trustStorePath /path/to/opendj/config/keystore \ --trustStoreType PKCS12 \ --trustStorePassword:file /path/to/opendj/config/keystore.pin \ --no-prompt ``` ## Result codes When an LDAP application exceeds a limit, DS responds with the appropriate [result code](../ldap-reference/ldap-result-codes.html): * `3: Time Limit Exceeded` when the request took too long to process. * `4: Size Limit Exceeded` when the request returned too many entries. * `11: Administrative Limit Exceeded` when the request exceeded a limit imposed by one of the other settings. Refer to any additional information DS returns with the result to determine what action to take.