Service manual
Limiting Resources Available to Clients
150 Sun ONE Directory Server Installation and Tuning Guide • June 2003
Table 9-1 Tuning Recommendations for Limiting Resources Available to Clients
Configuration Entry DN and Attribute Short Description and Tuning Recommendations
dn: cn=config
nsslapd-idletimeout
Sets the time in seconds after which Directory Server closes an
idle client connection. Here idle means that the connection
remains open, yet no operations are requested. By default, no
time limit is set.
Someapplications,suchas messagingservers,may open apool
of connections that remain idle when traffic is low, but that
should not be closed. Ideally, you might dedicate a replica to
support the application in this case. If that is not possible,
consider bind DN-based limits.
In any case, set thisvaluehighenough not to close connections
that other applications expect to remain open, but set it low
enoughthat connectionscannotbeleftidle abusively.Consider
using 120 seconds(2 minutes) as a starting point for
optimization tests.
dn: cn=config
nsslapd-ioblocktimeout
Sets the time in milliseconds after which Directory Server
closes a stalled client connection. Here stalled means that the
the server is blocked either sending output to the client or
reading input from the client.
For Directory Server instances particularlyexposed to denial of
service attacks, consider lowering this value from the default
of 1,800,000 milliseconds (30 minutes).
dn: cn=config,cn=ldbm
database,cn=plugins,cn=config
nsslapd-lookthroughlimit
Sets the maximum number of candidate entries checked for
matches during a search.
Some applications, such as messaging servers, may need to
search the entire directory. Ideally, you might dedicate a
replica to support the application in this case. If that is not
possible, consider bind DN-based limits.
In any case, consider lowering this value from the default of
5000 entries, but not below the threshold value of
nsslapd-sizelimit.