LDAP-UX Client Services B.04.00 with Microsoft Windows 2000/2003 Active Directory Administrator's Guide
Administering LDAP-UX Client Services
Considering Performance Impacts
Chapter 4 117
Considering Performance Impacts
The advantage of an LDAP directory over flat files for naming and
authentication services is its design for quick access to information in
large databases. Still, with very large databases, administrators, and
users should be aware of the following performance impacts:
Enumeration Requests
Enumeration requests are directory queries that request all of a
database, for example all users or all groups. Enumeration requests of
large databases can reduce network and server performance. For this
reason, you may want to restrict the use of the following commands that
generate enumeration requests:
• finger(1)
• grget(1) with no options
• pwget(1) with no options
• groups(1)
• listusers(1)
• logins(1M)
Also, applications written with the ggetpwent(3C) or getgrent(3C)
family of routines can enumerate a map, depending on how they are
written.
It may be possible to rewrite these applications so that an LDAP search
request is used instead of a call to getpwent or getgrent.
Search Limits
The default configuration for Active Directory sets the search size limit
to 1,000 entries and the search time limit to two minutes. Setting search
limits prevents users from consuming all the resources of a directory and
helps to minimize "denial of service" attacks; however, on large
databases they will not be enough to service commands or applications
that generate enumeration requests. You can use the support tool
ntdsutil to change these two values. ntdsutil can be installed from the
Windows 2000 or 2003 Server CD in the \SUPPORT\TOOLS folder.