test

Sun Java System Directory Server Enterprise Edition 6.0 Administration Guide

Setting Resource Limits For Each Client Account

You can control search operation resource limits on the server for each client account. You set such limits in operational attributes on an account, and Directory Server then enforces them based on the account a client uses to bind to the directory.

The following limits can be set:

Note –

The Directory Manager can use unlimited resources by default.

The resource limits that you set on specific user accounts take precedence over the resource limits set in the server-wide configuration. This section provides information about setting resource limits for each account.

The examples given in this section set resource limits directly in the attributes of the entry. You can also set resource limits on account using the Class of Service (CoS) mechanism. The CoS mechanism generates computed attributes as an entry is retrieved for a client application. For more information about defining CoS, see Class of Service.

ProcedureTo View Server Resource Limit Settings

You can use DSCC to perform this task. For information, see Directory Service Control Center Interface and the DSCC online help.

    Use the dsconf get-server-prop command to read the resource limit server properties.


    $ dsconf get-server-prop -h host -p port look-through-limit search-size-limit \
 search-time-limit idle-timeout
look-through-limit  :  5000  
search-size-limit   :  2000  
search-time-limit   :  3600
idle-timeout        :  none

    The output shows that searches look through a maximum of 5000 entries, return a maximum of 2000 entries, and use a maximum of one hour (3600 seconds) of server time to process the search.

ProcedureTo Set the Look-Through Limit for an Account

You can use DSCC to perform this task. For information, see Directory Service Control Center Interface and the DSCC online help.

    Use the ldapmodify command to set the value of nsLookThroughLimit.

    The following command removes the look-through limit for Barbara Jensen:


    $ ldapmodify -D cn=admin,cn=Administrators,cn=config -w -
Enter bind password: 
dn: uid=bjensen,ou=people,dc=example,dc=com
changetype: modify
add: nsLookThroughLimit
nsLookThroughLimit: -1
^D
modifying entry uid=bjensen,ou=people,dc=example,dc=com

^D
$

ProcedureTo Set the Size Limit for an Account

You can use DSCC to perform this task. For information, see Directory Service Control Center Interface and the DSCC online help.

    Use the ldapmodify command to set the value of nsSizeLimit.

    The following command removes the size limit for Barbara Jensen:


    $ ldapmodify -D cn=admin,cn=Administrators,cn=config -w -
Enter bind password: 
dn: uid=bjensen,ou=people,dc=example,dc=com
changetype: modify
add: nsSizeLimit
nsSizeLimit: -1
^D
modifying entry uid=bjensen,ou=people,dc=example,dc=com

^D
$

ProcedureTo Set the Time Limit for an Account

You can use DSCC to perform this task. For information, see Directory Service Control Center Interface and the DSCC online help.

    Use the ldapmodify command to set the value of nsTimeLimit.

    The following command removes the time limit for Barbara Jensen:


    $ ldapmodify -D cn=admin,cn=Administrators,cn=config -w -
Enter bind password: 
dn: uid=bjensen,ou=people,dc=example,dc=com
changetype: modify
add: nsTimeLimit
nsTimeLimit: -1
^D
modifying entry uid=bjensen,ou=people,dc=example,dc=com

^D
$

ProcedureTo Set the Idle Timeout for an Account

You can use DSCC to perform this task. For information, see Directory Service Control Center Interface and the DSCC online help.

    Use the ldapmodify command to set the value of nsIdleTimeout.

    The following command sets the idle timeout for Barbara Jensen to five minutes (300 seconds):


    $ ldapmodify -D cn=admin,cn=Administrators,cn=config -w -
Enter bind password: 
dn: uid=bjensen,ou=people,dc=example,dc=com
changetype: modify
add: nsIdleTimeout
nsIdleTimeout: 300
^D
modifying entry uid=bjensen,ou=people,dc=example,dc=com

^D
$