Sun Java System Directory Server Enterprise Edition 6.3 Deployment Planning Guide

Limiting Directory Server Resources Available to Clients

The default configuration of Directory Server can allow client applications to use more Directory Server resources than are required.

The following uses of resources can hurt directory performance:

In some deployment situations, you should not modify the default configuration. For deployments where you cannot tune Directory Server, use Directory Proxy Server to limit resources, and to protect against denial of service attacks.

In some deployment situations, one instance of Directory Server must support client applications, such as messaging servers, and directory clients such as user mail applications. In such situations, consider using bind DN based resource limits to raise individual limits for directory intensive applications. The limits for an individual account can be adjusted by setting the attributes nsSizeLimit, nsTimeLimit, nsLookThroughLimit, and nsIdleTimeout on the individual entry. For information about how to control resource limits for individual accounts, see Setting Resource Limits For Each Client Account in Sun Java System Directory Server Enterprise Edition 6.3 Administration Guide.

Table 6–1 describes the parameters that set the global values for resource limits. The limits in Table 6–1 do not apply to the Directory Manager user, therefore, ensure client applications do not connect as the Directory Manager user.

Table 6–1 Tuning Recommendations For Resources Devoted to Client Applications

Tuning Parameter 

Description 

Server property  

idle-timeout

Sets the time in seconds after which Directory Server closes an idle client connection. Here idle means that the connection remains open, yet no operations are requested. By default, no time limit is set.

You set this server property with the dsconf set-server-prop command.

Some applications, such as messaging servers, may open a pool of connections that remain idle when traffic is low, but that should not be closed. Ideally, you might dedicate a replica to support the application in this case. If that is not possible, consider bind DN based individual limits. 

In any case, set this value high enough not to close connections that other applications expect to remain open, but set it low enough that connections cannot be left idle abusively. Consider setting it to 7200 seconds, which is 2 hours, for example. 

Attribute  

nsslapd-ioblocktimeout on dn: cn=config

Sets the time in milliseconds after which Directory Server closes a stalled client connection. Here stalled means that the server is blocked either sending output to the client or reading input from the client.

You set this attribute with the ldapmodify command.

For Directory Server instances particularly exposed to denial of service attacks, consider lowering this value from the default of 1,800,000 milliseconds, which is 30 minutes. 

Server property  

look-through-limit

Sets the maximum number of candidate entries checked for matches during a search. 

You set this server property with the dsconf set-server-prop command.

Some applications, such as messaging servers, may need to search the entire directory. Ideally, you might dedicate a replica to support the application in this case. If that is not possible, consider bind DN based, individual limits. 

In any case, consider lowering this value from the default of 5000 entries, but not below the threshold value of search-size-limit.

Attribute  

nsslapd-maxbersize on dn: cn=config

Sets the maximum size in bytes for an incoming ASN.1 message encoded according to Basic Encoding Rules, BER. Directory Server rejects requests to add entries larger than this limit. 

You set this attribute with the ldapmodify command.

If you are confident you can accurately anticipate maximum entry size for your directory data, consider changing this value from the default of 2097152, which is 2 MB, to the size of the largest expected directory entry. 

The next largest size limit for an update is the size of the transaction log file, nsslapd-db-logfile-size, which by default is 10 MB.

Server property 

max-threads-per-connection-count

Sets the maximum number of threads per client connection. 

You set this server property with the dsconf set-server-prop command.

Some applications, such as messaging servers, may open a pool of connections and may issue many requests on each connection. Ideally, you might dedicate a replica to support the application in this case. If that is not possible, consider bind DN based, individual limits. 

If you anticipate that some applications may perform many requests per connection, consider increasing this value from the default of 5, but do not increase it to more than 10. Typically do not specify more than 10 threads per connection. 

Server property  

search-size-limit

Sets the maximum number of entries Directory Server returns in response to a search request. 

You set this server property with the dsconf set-server-prop command.

Some applications, such as messaging servers, may need to search the entire directory. Ideally, you might dedicate a replica to support the application in this case. If that is not possible, consider bind DN based, individual limits. 

In any case, consider lowering this value from the default of 2000 entries. 

Server property  

search-time-limit

Sets the maximum number of seconds Directory Server allows for handling a search request. 

You set this server property with the dsconf set-server-prop command.

Some applications, such as messaging servers, may need to perform very large searches. Ideally, you might dedicate a replica to support the application in this case. If that is not possible, consider bind DN based, individual limits. 

In any case, set this value as low as you can and still meet deployment requirements. The default value of 3600 seconds, which is 1 hour, is larger than necessary for many deployments. Consider using 600 seconds, which is 10 minutes, as a starting point for optimization tests.