Client connection policies can specify resource limits, helping to ensure that no single client monopolizes server resources. You can limit the total number of connections to a server from a particular client or from clients that match specified criteria. You can also limit the duration of the connection.

A client connection policy may only be used to enforce additional restrictions on a client connection. You can never use it to grant a client capabilities that it would not otherwise have.

Any change to any of these new configuration properties will only impact client connections that are assigned to the client connection policy after the change is made. Any connection associated with the client connection policy before the configuration change was made will continue to be subject to the configuration that was in place at the time it was associated with that policy.

Property Description
maximum-concurrent-connections Specifies the maximum number of client connections that can be associated with that client connection policy at any given time. The default value of zero indicates that no limit will be enforced.

If the server already has the maximum number of connections associated with a client connection policy, then any attempt to associate another connection with that policy (e.g., newly-established connections or an existing connection that has done something to change its client connection policy, such as perform a bind or StartTLS operation) will cause that connection to be terminated.

terminate-connection Specifies that any client connection for which the client connection policy is selected (whether it is a new connection or an existing connection that is assigned to the client connection policy after performing a bind or StartTLS operation) will be immediately terminated.

This property can be used to define criteria for connections that you do not want to be allowed to communicate with the Directory Server.

maximum-connection-duration Specifies the maximum length of time that a connection associated with the client connection policy can remain established to the Directory Server, regardless of the amount of activity on that connection.

A value of "0 seconds" (default) indicates that no limit will be enforced. If a connection associated with the client connection policy has been established for longer than this time, then it will be terminated.

maximum-idle-connection-duration Specifies the maximum length of time that a connection associated with the client connection policy can remain established with the Directory Server without any requests in progress.

A value of "0 seconds" (default) indicates that no additional limit will be enforced on top of whatever idle time limit might already be in effect for an associated connection. If a nonzero value is provided, then the effective idle time limit for any client connection will be the smaller of the maximum-idle-connection-duration from the client connection policy and the idle time limit that would otherwise be in effect for that client.

This property can be used to apply a further restriction on top of any value that may be enforced by the idle-time-limit global configuration property (which defines a default idle time limit for client connections) or the ds-rlim-idle-time-limit operational attribute (which may be included in a user entry to override the default idle time limit for that user).

maximum-operation-count-per-connection Specifies the maximum number of operations that a client associated with the client connection policy will be allowed to request. A value of zero (default) indicates that no limit will be enforced. If a client attempts to request more than this number of operations on the same connection, then that connection will be terminated.
maximum-concurrent-operations-per-connection Specifies the maximum number of operations that may be active at any time from the same client. This limit is only applicable to clients that use asynchronous operations with multiple outstanding requests at any given time.

A value of zero (default) indicates that no limit will be enforced.

If a client already has the maximum number of outstanding requests in progress and issues a new request, then that request will be delayed and/or rejected based on the value of the maximum-concurrent-operation-wait-time-before-rejecting property.

maximum-concurrent-operation-wait-time-before-rejecting Specifies the maximum length of time that a client connection should allow an outstanding operation to complete if the maximum number of concurrent operations for a connection are already in progress when a new request is received on that connection.

A value of “0 seconds” (default) indicates that any new requests received while the maximum number of outstanding requests are already in progress for that connection will be immediately rejected.

If an outstanding operation completes before this time expires, then the server may be allowed to process that operation. If the time expires, the new request will be rejected.

maximum-ldap-join-size-limit Specifies the maximum number of entries that can be directly joined with any individual search result entry. A value of zero indicates that no LDAP join size limit is enforced. The limit can be overridden on a per-user basis using the ds-rlim-ldap-join-size-limit operational attribute. The LDAP join size limit is also restricted by the search operation size limit. If a search result entry is joined with more entries than allowed, the join result control will have a "size limit exceeded" (integer value 4) result code.
allowed-request-control Specifies the OIDs of the request controls that clients associated with the client connection policy will be allowed to use.

If any allowed-request-control OIDs are specified, then any request which includes a control not in that set will be rejected. If no allowed-request-control values are specified (default), then any control whose OID is not included in the set of denied-request-control values will be allowed.

denied-request-control Specifies the OIDs of the request controls that clients associated with the client connection policy will not be allowed to use. If there are any denied-request-control values, then any request containing a control whose OID is included in that set will be rejected.

If there are no denied-request-control values (default), then any request control will be allowed if the allowed-request-control property is also empty, or only those controls whose OIDs are included in the set of allowed-request-control values will be allowed if at least one allowed-request-control value is provided.

allowed-filter-type Specifies the types of components which may be used in filters included in search operations with a non-base scope that are requested by clients associated with the client connection policy. Any non-base scoped search request whose filter contains a component not included in this set will be rejected. The set of possible filter types include:
  • and
  • or
  • not
  • equality
  • sub-initial
  • sub-any
  • sub-final
  • greater-or-equal
  • less-or-equal
  • approximate-match
  • extensible-match

By default, all filter types will be allowed. Also note that no restriction will be placed on the types of filters which may be used in searches with a base scope.

allow-unindexed-searches Specifies whether clients associated with the client connection policy will be allowed to request searches which cannot be efficiently processed using the configured set of indexes. Note that clients will still be required to have the unindexed-search privilege, so this option will not grant the ability to perform unindexed searches to clients that would not have otherwise had that ability, but it may be used to prevent clients associated with the client connection policy from requesting unindexed searches when they might have otherwise been allowed to do so.

By default, this has a value of "true", indicating that any client associated with the client connection policy that has the unindexed-search privilege will be allowed to request unindexed searches.

minimum-substring-length Specifies the minimum number of bytes, which may be present in any sub- Initial, subAny, or subFinal element of a substring search filter component in a search with a non-baseObject scope. A value of one (which is the default) indicates that no limit will be enforced. This property may be used to prevent clients from issuing overly-vague substring searches that may require the Installing the Directory Server to examine too many entries over the course of processing the request.
maximum-search-size-limit Specifies the maximum number of entries that may be returned from any single search operation requested by a client associated with this client connection policy. Note that this property only specifies a maximum limit and will never increase any limit that may already be in effect for the client via the size-limit global configuration property or the ds-rlim-size-limit operational attribute.

A value of zero (default) indicates that no additional limit will be enforced on top of whatever size limit might already be in effect for an associated connection.

If a nonzero value is provided, then the effective maximum size limit for any search operation requested by the client will be the smaller of the size limit from that search request, the maximum-search-size-limit from the client connection policy, and the size limit that would otherwise be in effect for that client.