LDAP-UX Client Services B.05.01 Administrator Guide for HP directory servers and Windows ADS
Click HP-UX LDAP-UX Integration Software.
7.12.1 Reducing the performance impact of enumeration and search requests
The advantage of a directory server over flat files for naming and authentication services is its
design for quick access to information in large databases. Still, with very large databases,
administrators, and users should be aware of the following performance impacts.
7.12.1.1 Minimizing enumeration requests for less impact on server and network performance
Enumeration requests are directory queries that request all of a database, for example all users or
all groups. Enumeration requests of large databases could reduce network and server performance.
For this reason, you might want to restrict the use of commands and applications that generate
enumeration requests, such as:
• finger (see the finger(1) manpage)
• grgetwith no options (see the grget(1) manpage)
• pwget with no options (see the pwget(1) manpage)
• groups (see the groups(1) manpage)
• listusers (see the listusers(1) manpage)
• logins (see the logins(1M) manpage)
• All netgroup calls (HP directory servers only)
In addition, depending on how they are written, applications written with families of routines such
as getpwent, getgrent, gethostent, and getnetent can enumerate a map. You could
possibly rewrite these applications so that an LDAP search request is used instead of a call to these
routines.
7.12.1.2 Setting search limits to reduce resource consumption and denial of service vulnerabilities
This section pertains to Windows ADS only.
The default configuration for Active Directory sets the search size limit to 1,000 entries and the
search time limit to two minutes. Setting search limits prevents users from consuming all the resources
of a directory and helps to minimize "denial of service" attacks; however, on large databases
search limits are not sufficient to service commands or applications that generate enumeration
requests. You can use the support tool ntdsutil to change these two search limit values. The
ntdsutil tool can be installed from the Windows 2003 R2 or 2008 Server CD in the \SUPPORT\
TOOLS folder.
NOTE: The search time limit set during the setup procedure specifies the search timeout on the
client side. To service enumeration requests, this parameter might need to be adjusted accordingly.
1. On your domain controller, click Start, then Run.
In the Open box, enter the ntdsutil command and click OK.
2. At the ntdsutil prompt, enter the ldap policies command and press Enter. To see a
list of available commands, you can enter the ? symbol at any of the prompts in the ntdsutil
tool.
3. At the ldap policies: prompt, enter the connections command and press Enter.
4. At the server connections: prompt, enter the connect to server <servername>
command, where <servername> is the name of server you want to use, and then press
Enter.
5. At the server connections: prompt, enter the quit command and press Enter.
7.12 Performance considerations 247