9. Limits
9.1. Introduction
It is usually desirable to limit the server resources that can be consumed by each LDAP client. OpenLDAP provides two sets of limits: a size limit, which can restrict the number of entries that a client can retrieve in a single operation, and a time limit which restricts the length of time that an operation may continue. Both types of limit can be given different values depending on who initiated the operation.
9.2. Soft and Hard limits
The server administrator can specify both soft limits and hard limits. Soft limits can be thought of as being the default limit value. Hard limits cannot be exceeded by ordinary LDAP users.
LDAP clients can specify their own size and time limits when issuing search operations. This feature has been present since the earliest version of X.500.
If the client specifies a limit then the lower of the requested value and the hard limit will become the limit for the operation.
If the client does not specify a limit then the server applies the soft limit.
Soft and Hard limits are often referred to together as administrative limits. Thus, if an LDAP client requests a search that would return more results than the limits allow it will get an adminLimitExceeded error. Note that the server will usually return some results even if the limit has been exceeded: this feature is useful to clients that just want to check for the existence of some entries without needing to see them all.
The rootdn is not subject to any limits.
9.3. Global Limits
Limits specified in the global part of the server configuration act as defaults which are used if no database has more specific limits set.
In a slapd.conf(5) configuration the keywords are sizelimit and timelimit. When using the slapd config backend, the corresponding attributes are olcSizeLimit and olcTimeLimit. The syntax of these values are the same in both cases.
The simple form sets both soft and hard limits to the same value:
sizelimit {<integer>|unlimited} timelimit {<integer>|unlimited}
The default sizelimit is 500 entries and the default timelimit is 3600 seconds.
An extended form allows soft and hard limits to be set separately:
sizelimit size[.{soft|hard|unchecked}]=<integer> [...] timelimit time[.{soft|hard}]=<integer> [...]
Thus, to set a soft sizelimit of 10 entries and a hard limit of 75 entries:
sizelimit size.soft=10 size.hard=75
The unchecked keyword sets a limit on how many entries the server will examine once it has created an initial set of candidate results by using indices. This can be very important in a large directory, as a search that cannot be satisfied from an index might cause the server to examine millions of entries, therefore always make sure the correct indexes are configured.
9.4. Per-Database Limits
Each database can have its own set of limits that override the global ones. The syntax is more flexible, and it allows different limits to be applied to different entities. Note that an entity is different from an entry: the term entity is used here to indicate the ID of the person or process that has initiated the LDAP operation.
In a slapd.conf(5) configuration the keyword is limits. When using the slapd config backend, the corresponding attribute is olcLimits. The syntax of the values is the same in both cases.
limits <selector> <limit> [<limit> [...]]
The limits clause can be specified multiple times to apply different limits to different initiators. The server examines each clause in turn until it finds one that matches the operation's initiator or base DN. If no match is found, the global limits will be used.
9.4.1. Specify who the limits apply to
The <selector> part of the limits clause can take any of these values:
Specifier | Entities |
* | All, including anonymous and authenticated users |
anonymous | Anonymous (non-authenticated) users |
users | Authenticated users |
dn[.<type>][.<style>]=<pattern>] | Entry or entries within a scope that match <pattern> |
group[/oc[/at]]=<pattern> | Members of a group |
Where
type can be one of self or this and
style can be one of exact, base, onelevel, subtree, children, regex, or anonymous
More information can be found in the slapd.conf(5) or slapd-config(5) manual pages.
9.4.2. Specify time limits
The syntax for time limits is
time[.{soft|hard}]=<integer>
where integer is the number of seconds slapd will spend answering a search request.
If neither soft nor hard is specified, the value is used for both, e.g.:
limits anonymous time=27
The value unlimited may be used to remove the hard time limit entirely, e.g.:
limits dn.exact="cn=anyuser,dc=example,dc=org" time.hard=unlimited
9.4.3. Specifying size limits
The syntax for size limit is
size[.{soft|hard|unchecked}]=<integer>
where <integer> is the maximum number of entries slapd will return when answering a search request.
Soft, hard, and "unchecked" limits are available, with the same meanings described for the global limits configuration above.
9.4.4. Size limits and Paged Results
If the LDAP client adds the pagedResultsControl to the search operation, the hard size limit is used by default, because the request for a specific page size is considered an explicit request for a limitation on the number of entries to be returned. However, the size limit applies to the total count of entries returned within the search, and not to a single page.
Additional size limits may be enforced for paged searches.
The size.pr limit controls the maximum page size:
size.pr={<integer>|noEstimate|unlimited}
<integer> is the maximum page size if no explicit size is set. noEstimate has no effect in the current implementation as the server does not return an estimate of the result size anyway. unlimited indicates that no limit is applied to the maximum page size.
The size.prtotal limit controls the total number of entries that can be returned by a paged search. By default the limit is the same as the normal size.hard limit.
size.prtotal={<integer>|unlimited|disabled}
unlimited removes the limit on the number of entries that can be returned by a paged search. disabled can be used to selectively disable paged result searches.
9.5. Example Limit Configurations
9.5.1. Simple Global Limits
This simple global configuration fragment applies size and time limits to all searches by all users except rootdn. It limits searches to 50 results and sets an overall time limit of 10 seconds.
sizelimit 50 timelimit 10
9.5.2. Global Hard and Soft Limits
It is sometimes useful to limit the size of result sets but to allow clients to request a higher limit where needed. This can be achieved by setting separate hard and soft limits.
sizelimit size.soft=5 size.hard=100
To prevent clients from doing very inefficient non-indexed searches, add the unchecked limit:
sizelimit size.soft=5 size.hard=100 size.unchecked=100
9.5.3. Giving specific users larger limits
Having set appropriate default limits in the global configuration, you may want to give certain users the ability to retrieve larger result sets. Here is a way to do that in the per-database configuration:
limits dn.exact="cn=anyuser,dc=example,dc=org" size=100000 limits dn.exact="cn=personnel,dc=example,dc=org" size=100000 limits dn.exact="cn=dirsync,dc=example,dc=org" size=100000
It is generally best to avoid mentioning specific users in the server configuration. A better way is to give the higher limits to a group:
limits group/groupOfNames/member="cn=bigwigs,dc=example,dc=org" size=100000
9.5.4. Limiting who can do paged searches
It may be required that certain applications need very large result sets that they retrieve using paged searches, but that you do not want ordinary LDAP users to use the pagedResults control. The pr and prtotal limits can help:
limits group/groupOfNames/member="cn=dirsync,dc=example,dc=org" size.prtotal=unlimited limits users size.soft=5 size.hard=100 size.prtotal=disabled limits anonymous size.soft=2 size.hard=5 size.prtotal=disabled
9.6. Further Information
For further information please see slapd.conf(5), ldapsearch(1) and slapd.access(5)