OpenDJ, the open source LDAP directory services in Java, defines a few global resource limits to prevent client connections or operations from abusing the server’s resources. These limits are
- the maximum number of entries returned to a search request (size-limit, default is 1000),
- the maximum amount of time to spend returning results to a client (time-limit, default is 60 seconds),
- the maximum number of entries to look through while processing a search request (lookthrough-limit, default is 5000),
- the maximum amount of time a connection can sit idle before the server disconnect it (idle-time-limit, default is unlimited).
There are default values for all of these limits in the Global configuration, but they can also be set on a per user basis. The global limits are read or set using dsconfig :
$ bin/dsconfig get-global-configuration-prop -p 4444 -X -n -h localhost \ -D cn=directory\ manager -w secret12 Property : Value(s) --------------------------------------:------------------------ bind-with-dn-requires-password : true default-password-policy : Default Password Policy disabled-privilege : - entry-cache-preload : false etime-resolution : milliseconds idle-time-limit : 0 lookthrough-limit : 5000 max-allowed-client-connections : 0 max-psearches : unlimited proxied-authorization-identity-mapper : Exact Match reject-unauthenticated-requests : false return-bind-error-messages : false save-config-on-successful-startup : true size-limit : 1000 smtp-server : - time-limit : 60 s writability-mode : enabled
The per user limits have a different LDAP attribute name and can be found or set directly in users’ entry, or through Collective Attributes. The Directory Manager entry has such specific limits set, so that everything is unlimited.
$ bin/ldapsearch -D "cn=directory manager" -w secret12 -p 1389 -X -b "cn=config" \ '(objectClass=inetOrgPerson)' ds-rlim-time-limit ds-rlim-size-limit \ ds-rlim-lookthrough-limit ds-rlim-idle-time-limit dn: cn=Directory Manager,cn=Root DNs,cn=config ds-rlim-lookthrough-limit: 0 ds-rlim-time-limit: 0 ds-rlim-idle-time-limit: 0 ds-rlim-size-limit: 0
If you decide to change the default global settings, for example the idle-time-limit, to force idle connections to be closed by the server after some time (often a smaller time than the settings of the load-balancer in between your applications and the OpenDJ servers), please remember that you might also want to change the limit for “cn=Directory Manager”, especially if your client applications are connecting with Directory Manager credentials.
Very nice post and resource very helpful to us? Just wanted to know is there any place where we can post are question? Data is getting deleted while rebuling index on openDJ. We have configured two instance of openDJ as master.Data get deleted from one server .
Hi,
The best place to post question related to OpenDJ is the OpenDJ mailing list : https://lists.forgerock.org/mailman/listinfo/opendj.
Otherwise, there is also a #opendj channel on irc.freenode.net.
Kind regards,
Ludo
Hi,
is there any limitation on number of users creation in opends or not ?
BR/
Abhay Singh
OpenDS no longer exists, Oracle shut it down. But development of the project continues with OpenDJ (http://opendj.org).
There is no hard coded limitations in the number of entries that can be created in OpenDJ, but of course there are practical limits in any software or database you run: physical disk size limits, performances, time and cost to perform administrative tasks such as backup or restore…
We’ve tested OpenDJ with up to 3 billion users, we’ve run heavy stress benchmark with 500 Million users, we have customers that are running in Production with over 100M entries…