Skip Navigation Links | |
Exit Print View | |
Oracle Directory Server Enterprise Edition Administration Guide 11g Release 1 (11.1.1.5.0) |
Part I Directory Server Administration
2. Directory Server Instances and Suffixes
3. Directory Server Configuration
6. Directory Server Access Control
7. Directory Server Password Policy
8. Directory Server Backup and Restore
9. Directory Server Groups, Roles, and CoS
10. Directory Server Replication
13. Directory Server Attribute Value Uniqueness
15. Directory Server Monitoring
Part II Directory Proxy Server Administration
16. Directory Proxy Server Tools
17. Directory Proxy Server Instances
19. Directory Proxy Server Certificates
20. Directory Proxy Server Load Balancing and Client Affinity
21. Directory Proxy Server Distribution
22. Directory Proxy Server Virtualization
23. Virtual Data Transformations
24. Connections Between Directory Proxy Server and Back-End LDAP Servers
25. Connections Between Clients and Directory Proxy Server
Creating, Configuring, and Deleting Connection Handlers
To Create a Connection Handler
To Configure a Connection Handler
To Delete a Connection Handler
To Configure Affinity for Data Views
Creating and Configuring Request Filtering Policies and Search Data Hiding Rules
To Create a Request Filtering Policy
To Configure a Request Filtering Policy
To Create Search Data Hiding Rules
Example Request Filtering Policy and Search Data Hiding Rule
Creating and Configuring a Resource Limits Policy
To Create a Resource Limits Policy
To Configure a Resource Limits Policy
To Block Presence Filters in the Search Operation
Configuring Directory Proxy Server as a Connection Based Router
To Configure Directory Proxy Server as a Connection Based Router
26. Directory Proxy Server Client Authentication
27. Directory Proxy Server Logging
28. Directory Proxy Server Monitoring and Alerts
Part III Directory Service Control Center Administration
For an overview of resource limits policies, see Resource Limits Policies for Connection Handlers in Oracle Directory Server Enterprise Edition Reference. For information about how to create and configure resource limits policies and to customize search limits, see the following procedures.
You can use DSCC to perform this task. For information, see Directory Service Control Center Interface and the DSCC online help.
$ dpconf create-resource-limits-policy -h host -p port policy-name
For information about how to modify the properties of a resource limits policy, see To Configure a Resource Limits Policy.
$ dpconf set-connection-handler-prop -h host -p port connection-handler-name \ resource-limits-policy:policy-name
You can use DSCC to perform this task. For information, see Directory Service Control Center Interface and the DSCC online help.
$ dpconf get-resource-limits-policy-prop -h host -p port policy-name
The default properties of a resource limits policy are as follows:
connection-idle-timeout : 1h denied-presence-filter-attr : all denied-presence-filter-enabled : false description : - max-client-connections : unlimited max-connections : unlimited max-op-count-per-interval : unlimited max-simultaneous-operations-per-connection : unlimited max-total-operations-per-connection : unlimited minimum-search-filter-substring-length : unlimited op-count-per-interval-timeout : 1s referral-bind-policy : default referral-hop-limit : default referral-policy : default search-size-limit : unlimited search-time-limit : unlimited warning-op-count-per-interval : unlimited
$ dpconf set-resource-limits-policy-prop -h host -p port policy-name \ property:value [property:value ...]
To specify the threshold number of operations per time interval at which a warning is raised, run the following command:
$ dpconf set-resource-limits-policy-prop -h host -p port policy-name \ warning-op-count-per-interval:1500
When the specified number of operations exceed in a specified time interval, the warning-resource-limit-exceeded alert is raised. For more information on warning-resource-limit-exceeded, see Configuring Administrative Alerts for Directory Proxy Server.
$ dpconf set-resource-limits-policy-prop -h host -p port policy-name \ denied-presence-filter-attr:attribute-name
$ dpconf set-resource-limits-policy-prop -h host -p port policy-name\ denied-presence-filter-enabled:on
Customized limits can be defined for search operations according to the search base and search scope. If the target DN and scope of a search operation matches the specified criteria, the maximum size of the search result is limited.
You can use DSCC to perform this task. For information, see Directory Service Control Center Interface and the DSCC online help.
$ dpconf create-custom-search-size-limit -h host -p port policy-name \ custom-search-limit-name [custom-search-limit-name ...]
$ dpconf set-custom-search-size-limit-prop -h host -p port policy-name \ custom-search-limit-name one-level-search-base-dn:value subtree-search-base-dn:value
$ dpconf set-custom-search-size-limit-prop -h host -p port policy-name \ custom-search-limit-name search-size-limit:value
$ dpconf get-custom-search-size-limit-prop -h host -p port policy-name \ custom-search-limit-name
The default properties of a custom search limit are as follows:
one-level-search-base-dn : none search-size-limit : unlimited subtree-search-base-dn : none
Directory Proxy Server lets you set a threshold for the maximum number of LDAP operations allowed in a given time period. You set the operations rate limit per connection handler using a resource limits policy. The settings effectively allow you to limit the LDAP operation rate for an LDAP client application. For example you can use this capability to ensure that one LDAP client application can perform a maximum of 2500 LDAP operations per second, whereas another LDAP client operation is limited to a maximum of 1200 operations per second.
First set up a connection handler to describe connections from the client application whose LDAP operation rate you want to limit. Then create a resource limits policy for the connection handler. Finally follow the steps here to limit the operation rate using the resource limits policy on the connection handler.
$ dpconf set-resource-limits-policy-prop -h host -p port policy-name \ max-op-count-per-interval:2500 $ dpconf set-resource-limits-policy-prop -h host -p port policy-name \ op-count-per-interval-timeout:1s
To add an alert about operation rate limits being reached, run this command:
$ dpconf set-server-prop -h host -p port\ enabled-admin-alerts+:error-resource-limit-exceeded
Directory Proxy Server raises an alert when the operations rate limit is exceeded. Directory Proxy Server also writes a message in the access log each time an operation is refused because the application exceeds its limit.
This attribute has the same meaning as the attribute in the LDAP and LDAPS listeners but, if set to something different from the default inherited, has precedence over them.
After the specified time without activity, the client connection will be closed. See Directory Proxy Server Client Listeners in Oracle Directory Server Enterprise Edition Reference.
$ dpconf get-resource-limits-policy-prop -h host -p port policy-name \ connection-idle-timeout:new-timeout