Oracle Fusion Middleware Administration Guide for Oracle Directory Server Enterprise Edition

Previous: Creating and Configuring Request Filtering Policies and Search Data Hiding Rules
Next: Configuring Directory Proxy Server as a Connection Based Router

Creating and Configuring a Resource Limits Policy

For an overview of resource limits policies, see Resource Limits Policies for Connection Handlers in Oracle Fusion Middleware Reference for Oracle Directory Server Enterprise Edition. For information about how to create and configure resource limits policies and to customize search limits, see the following procedures.

To Create a Resource Limits Policy

You can use DSCC to perform this task. For information, see Directory Service Control Center Interface and the DSCC online help.

Create a resource limits policy.
$ dpconf create-resource-limits-policy -h host -p port policy-name
For information about how to modify the properties of a resource limits policy, see To Configure a Resource Limits Policy.

Associate the resource limits policy to a connection handler.

$ dpconf set-connection-handler-prop -h host -p port connection-handler-name \
 resource-limits-policy:policy-name

To Configure a Resource Limits Policy

You can use DSCC to perform this task. For information, see Directory Service Control Center Interface and the DSCC online help.

View the properties of a resource limits policy.

$ dpconf get-resource-limits-policy-prop -h host -p port policy-name

The default properties of a resource limits policy are as follows:

denied-presence-filter-attr                 :  all
denied-presence-filter-attr-enabled         :  false
description                                 :  -
max-client-connections                      :  unlimited
max-connections                             :  unlimited
max-op-count-per-interval                   :  inlimited
max-simultaneous-operations-per-connection  :  unlimited
max-total-operations-per-connection         :  unlimited
minimum-search-filter-substring-length      :  unlimited
op-count-per-interval-timeout               :  1s
referral-bind-policy                        :  default
referral-hop-limit                          :  default
referral-policy                             :  default
search-size-limit                           :  unlimited
search-time-limit                           :  unlimited
warning-op-count-per-interval               :  unlimited

Configure the resource limits policy by setting one or more of the properties that are listed in Step 1:
$ dpconf set-resource-limits-policy-prop -h host -p port policy-name \ property:value [property:value ...]
To specify the threshold number of operations per time interval at which a warning is raised, run the following command:
$ dpconf set-resource-limits-policy-prop -h host -p port policy-name \ warning-op-count-per-interval:1500
When the specified number of operations exceed in a specified time interval, the warning-resource-limit-exceeded alert is raised. For more information on warning-resource-limit-exceeded, see Configuring Administrative Alerts for Directory Proxy Server.

To Block Presence Filters in the Search Operation

Configure denied-presence-filter-attr to deny access when search operation contains at least one of the attributes in the list of denied filter attributes.
$ dpconf set-resource-limits-policy-prop -h host -p port policy-name \ denied-presence-filter-attr:attribute-name

Turn on denied-presence-filter-enabled to indicate whether to deny access when the search filter contains specified attributes.
$ dpconf set-resource-limits-policy-prop -h host -p port policy-name\ denied-presence-filter-enabled:on

To Customize Search Limits

Customized limits can be defined for search operations according to the search base and search scope. If the target DN and scope of a search operation matches the specified criteria, the maximum size of the search result is limited.

You can use DSCC to perform this task. For information, see Directory Service Control Center Interface and the DSCC online help.

Create one or more custom search limits.

$ dpconf create-custom-search-size-limit -h host -p port policy-name \
  custom-search-limit-name [custom-search-limit-name ...]

Set the criteria for the custom search limit.

$ dpconf set-custom-search-size-limit-prop -h host -p port policy-name \
  custom-search-limit-name one-level-search-base-dn:value subtree-search-base-dn:value

Set the limit for the number of results that are returned when a search meets one of the criteria in Step 2.

$ dpconf set-custom-search-size-limit-prop -h host -p port policy-name \
 custom-search-limit-name search-size-limit:value

View the properties of a custom search limit.

$ dpconf get-custom-search-size-limit-prop -h host -p port policy-name \
  custom-search-limit-name

The default properties of a custom search limit are as follows:

one-level-search-base-dn  :  none
search-size-limit         :  unlimited
subtree-search-base-dn    :  none

To Limit LDAP Operations Rates

Directory Proxy Server lets you set a threshold for the maximum number of LDAP operations allowed in a given time period. You set the operations rate limit per connection handler using a resource limits policy. The settings effectively allow you to limit the LDAP operation rate for an LDAP client application. For example you can use this capability to ensure that one LDAP client application can perform a maximum of 2500 LDAP operations per second, whereas another LDAP client operation is limited to a maximum of 1200 operations per second.

First set up a connection handler to describe connections from the client application whose LDAP operation rate you want to limit. Then create a resource limits policy for the connection handler. Finally follow the steps here to limit the operation rate using the resource limits policy on the connection handler.

Enable the operations rate limit counters.

$ dpconf set-resource-limits-policy-prop -h host -p port policy-name \
max-op-count-per-interval:2500
$ dpconf set-resource-limits-policy-prop -h host -p port policy-name \
op-count-per-interval-timeout:1s

When an LDAP client exceeds the operation rate limit you set, Directory Proxy Server can raise an alert provided you set up Directory Proxy Server as described in the Configuring Administrative Alerts for Directory Proxy Server section.

To add an alert about operation rate limits being reached, run this command:
$ dpconf set-server-prop -h host -p port\ enabled-admin-alerts+:error-resource-limit-exceeded
Directory Proxy Server raises an alert when the operations rate limit is exceeded. Directory Proxy Server also writes a message in the access log each time an operation is refused because the application exceeds its limit.