Client connection policies can specify resource limits, helping to ensure that no single client monopolizes server resources. You can limit the total number of connections to a server from a particular client or from clients that match specified criteria. You can also limit the duration of the connection.
A client connection policy may only be used to enforce additional restrictions on a client connection. You can never use it to grant a client capabilities that it would not otherwise have.
Any change to any of these new configuration properties will only impact client connections that are assigned to the client connection policy after the change is made. Any connection associated with the client connection policy before the configuration change was made will continue to be subject to the configuration that was in place at the time it was associated with that policy.
Property | Description |
---|---|
maximum-concurrent-connections | Specifies the maximum number of client connections that can be associated
with that client connection policy at any given time. The default value of zero
indicates that no limit will be enforced. If the server already has the maximum number of connections associated with a client connection policy, then any attempt to associate another connection with that policy (e.g., newly-established connections or an existing connection that has done something to change its client connection policy, such as perform a bind or StartTLS operation) will cause that connection to be terminated. |
terminate-connection | Specifies that any client connection for which the client connection policy
is selected (whether it is a new connection or an existing connection that is
assigned to the client connection policy after performing a bind or StartTLS
operation) will be immediately terminated. This property can be used to define criteria for connections that you do not want to be allowed to communicate with the Directory Server. |
maximum-connection-duration | Specifies the maximum length of time that a connection associated with the
client connection policy can remain established to the Directory Server, regardless of the amount of activity on that connection. A value of "0 seconds" (default) indicates that no limit will be enforced. If a connection associated with the client connection policy has been established for longer than this time, then it will be terminated. |
maximum-idle-connection-duration | Specifies the maximum length of time that a connection associated with the
client connection policy can remain established with the Directory Server without any requests in progress. A value of "0 seconds"
(default) indicates that no additional limit will be enforced on top of whatever
idle time limit might already be in effect for an associated connection. If a
nonzero value is provided, then the effective idle time limit for any client
connection will be the smaller of the
This property can be used to apply a further restriction on top of
any value that may be enforced by the |
maximum-operation-count-per-connection | Specifies the maximum number of operations that a client associated with the client connection policy will be allowed to request. A value of zero (default) indicates that no limit will be enforced. If a client attempts to request more than this number of operations on the same connection, then that connection will be terminated. |
maximum-concurrent-operations-per-connection | Specifies the maximum number of operations that may be active at any time
from the same client. This limit is only applicable to clients that use
asynchronous operations with multiple outstanding requests at any given time. A value of zero (default) indicates that no limit will be enforced. If a
client already has the maximum number of outstanding requests in progress and
issues a new request, then that request will be delayed and/or rejected based on
the value of the
|
maximum-concurrent-operation-wait-time-before-rejecting | Specifies the maximum length of time that a client connection should allow an
outstanding operation to complete if the maximum number of concurrent operations
for a connection are already in progress when a new request is received on that
connection. A value of “0 seconds” (default) indicates that any new requests received while the maximum number of outstanding requests are already in progress for that connection will be immediately rejected. If an outstanding operation completes before this time expires, then the server may be allowed to process that operation. If the time expires, the new request will be rejected. |
maximum-ldap-join-size-limit | Specifies the maximum number of entries that can be directly joined with any individual search result entry. A value of zero indicates that no LDAP join size limit is enforced. The limit can be overridden on a per-user basis using the ds-rlim-ldap-join-size-limit operational attribute. The LDAP join size limit is also restricted by the search operation size limit. If a search result entry is joined with more entries than allowed, the join result control will have a "size limit exceeded" (integer value 4) result code. |
allowed-request-control | Specifies the OIDs of the request controls that clients associated with the
client connection policy will be allowed to use. If any allowed-request-control
OIDs are specified, then any request which includes a control not in that set
will be rejected. If no |
denied-request-control | Specifies the OIDs of the request controls that clients associated with the
client connection policy will not be allowed to use. If there are any
denied-request-control values, then any request containing a
control whose OID is included in that set will be rejected.If there are no
|
allowed-filter-type | Specifies the types of components which may be used in filters included in
search operations with a non-base scope that are requested by clients associated
with the client connection policy. Any non-base scoped search request whose filter
contains a component not included in this set will be rejected. The set of
possible filter types include:
By default, all filter types will be allowed. Also note that no restriction will be placed on the types of filters which may be used in searches with a base scope. |
allow-unindexed-searches | Specifies whether clients associated with the client connection policy will
be allowed to request searches which cannot be efficiently processed using the
configured set of indexes. Note that clients will still be required to have the
unindexed-search privilege, so this option will not grant the
ability to perform unindexed searches to clients that would not have otherwise had
that ability, but it may be used to prevent clients associated with the client
connection policy from requesting unindexed searches when they might have
otherwise been allowed to do so. By default, this has a value of "true",
indicating that any client associated with the client connection policy that has
the |
minimum-substring-length | Specifies the minimum number of bytes, which may be present in any sub- Initial, subAny, or subFinal element of a substring search filter component in a search with a non-baseObject scope. A value of one (which is the default) indicates that no limit will be enforced. This property may be used to prevent clients from issuing overly-vague substring searches that may require the Installing the Directory Server to examine too many entries over the course of processing the request. |
maximum-search-size-limit | Specifies the maximum number of entries that may be returned from any single
search operation requested by a client associated with this client connection
policy. Note that this property only specifies a maximum limit and will never
increase any limit that may already be in effect for the client via the
size-limit global configuration property or the
ds-rlim-size-limit operational attribute.A value of zero (default) indicates that no additional limit will be enforced on top of whatever size limit might already be in effect for an associated connection. If a
nonzero value is provided, then the effective maximum size limit for any search
operation requested by the client will be the smaller of the size limit from
that search request, the |