Directory Server, Version 6.1

 

Managing search limit groups

In the IBM® Tivoli® Directory Server, in order to prevent a user's search requests from consuming too many resources and consequently impairing the server's performance, search limits are imposed on these requests for any given server. The administrator sets these search limits on the size and duration of searches, when configuring the server. See Setting Searches for more information.

Only the administrator and members of the local or global administrative groups are exempt from these search limits that apply to all other users. However, depending upon your needs, we can create search limit groups that can have more flexible search limits than the general user. The individual members or groups contained in the search limit group are granted the search limitations specified in the search limit group.

When a user initiates a search, the search request limitations are first checked. If a user is a member of a search limit group, the limitations are compared. If the search limit group limitations are higher than those of the search request, the search request limitations are used. If the search request limitations are higher than those of the search limit group, the search limit group limitations are used. If no search limit group entries are found, the same comparison is made against the server search limitations. If no server search limitations have been set, the comparison is made against the default server setting. The limitations used are always the lowest settings in the comparison.

If a user belongs to multiple search limit groups, the user is granted up to the highest level of search capability. For example, the user belongs to search group 1 that grants search limits of search size 2000 entries and search time of 4000 seconds and to search group 2 that grants search limits of search size unlimited entries and a search time of 3000 seconds. The user has the search limitations of search size unlimited and search time of 4000 seconds.

Search limit groups can be stored under either localhost or IBMpolicies. Search limit groups under IBMpolicies are replicated, those under localhost are not. We can store the same search limit group under both localhost and IBMpolicies. If the search limit group is not stored under one of theses DNs, the server ignores the search limit part of the group and treats it as a normal group.

When a user initiates a search, the search limit group entries under localhost are checked first. If no entries are found for the user, the search limit group entries under IBMpolicies are then searched. If entries are found under localhost, the search limit group entries under IBMpolicies are not checked. The search limit group entries under localhost have priority over those under IBMpolicies.

 

Creating a search limit group

To create a search limit group, create a group entry using either the Web Administration Tool or the command line.

 

Using Web Administration:

If you have not done so already, expand the Directory management category in the navigation area.

  1. Click Add an entry or click Manage entries and select the location (cn=ibmPolicies or cn=localhost) and click Add.

  2. Select one of the group object classes from Structural object class menu.

    • accessGroup

    • accessRole

    • AIXaccessGroup

    • eNTGroup

    • groupofNames

    • groupofUniqueNames

    • groupofURLs

    • ibm-nestedGroup

    • ibm-proxyGroup

    • ibm-staticGroup

    • ibm-dynamicGroup

  3. Click Next.

  4. Select ibm-searchLimits auxiliary object class you want to use from the Available menu and click Add. Repeat this process for each additional auxiliary object class you want to add. We can also delete an auxiliary object class from the Selected menu by selecting it and clicking Remove.

  5. Click Next.

  6. In the Relative DN field, enter the relative distinguished name (RDN) of the group that you are adding, for example, cn=Search Group1.

  7. In the Parent DN field, enter the distinguished name of the tree entry you are selecting, for example, cn=localhost. We can also click Browse to select the Parent DN from the list. Select your choice and click Select to specify the Parent DN that you want. The Parent DN defaults to the entry selected in the tree.
    Note:

    If you started this task from the Manage entries panel, this field is prefilled for you. You selected the Parent DN before clicking Add to start the add entry process.

  8. At the Required attributes tab enter the values for the required attributes.

    • cn is the relative DN you specified earlier.

    • In the the ibm-searchSizeLimit field specify the number of entries that define the size of the search . This number can range between 0 and 2,147,483,647. A setting of 0 is the same as Unlimited.

    • In the the ibm-searchTimeLimit field specify the number of seconds that define the duration of the search . This number can range between 0 and 2,147,483,647. A setting of 0 is the same as Unlimited.

    • Depending on the object class you selected, you might see a Member or uniqueMember field. These are the members of the group you are creating. The entry is in the form of a DN, for example, cn=Bob Garcia,ou=austin,o=sample.
    Notes:

    1. If the attribute is multi-valued and you want to add more than one value for a particular attribute, click Multiple values. See Multiple values for attributes.

    2. If an attribute requires binary data, click Binary data. See Binary data for attributes

    3. If your server has language tags enabled, click Language tag value to add or remove language tag descriptors. See Language tags and Language tag values for attributes for more information.

    4. If an attribute contains referrals, click Manage referral. See Referrals and Creating default referrals for more information.

  9. Click Optional attributes.

  10. At the Optional attributes tab enter the values as appropriate for the attributes.

  11. Click Finish to create the entry.

 

Using the command line:

To set search limits of 4000 seconds and 2000 entries for user1 and user2 in cn=localhost location, issue the following command: 

idsldapmodify -a -D <adminDN> -w <adminPW> -i <filename>

where <filename> contains: 

Dn: cn=Search1, cn=localhost
Cn: Search1
member: cn=user1,o=ibm
member: cn=user2,o=ibm
ibm-searchTimeLimit: 4000
ibm-searchSizeLimit: 2000
objectclass: top
objectclass: ibm-searchLimits
objectclass: groupofNames

 

Modifying a search limit group

We can modify a search limit group, such as changing the size or time limits of the search, or adding or deleting members of the group by using either the Web Administration Tool or the command line.

 

Using Web Administration:

To modify a search limit group, see Modifying an entry.

 

Using the command line:

To change the searchTimeLimit to 3000 seconds and change the searchSizeLimit to unlimited, as well as add a new member (Bob Garcia), issue the following command: 

idsldapmodify -D <adminDN> -w <adminPW> -i <filename>

where <filename> contains: 

dn: cn=Search1, cn=localhost
changetype: modify
replace: ibm-searchTimeLimit
ibm-searchTimeLimit: 3000
-
replace: ibm-searchSizeLimit
ibm-searchSizeLimit: 0
-
add: member
member: cn=Bob Garcia,ou=austin,o=sample

 

Copying a search limit group

Copying a search limit group is useful if you want to have the same search limit group under both localhost and IBMpolicies. It is also useful if you want to create a new group that has similar information to an existing group, but has minor differences.

 

Using Server Administration:

To copy a search limit group, see Copying an entry.

 

Using the command line:

To view the search groups contained in localhost, issue the command: 

idsldapsearch -b cn=localhost  objectclass=ibm-searchLimits

Select the search limit group that you want to copy. Use an editor to change the appropriate information and save the changes to <filename>. The issue the following command: 

idsldapmodify -a -D <adminDN> -w <adminPW> -i <filename>

where <filename>contains: 

Dn: cn=NewSearch1, cn=localhost
Cn: NewSearch1
member: cn=user1,o=ibm
member: cn=user2,o=ibm
ibm-searchTimeLimit: 4000
ibm-searchSizeLimit: 2000
objectclass: top
objectclass: ibm-searchLimits
objectclass: groupofNames

 

Removing a search limit group

To remove a search limit group we can use either the Web Administration Tool or the command line.

 

Using Web Administration:

To remove a search limit group, see Deleting an entry.

 

Using the command line:

To remove a search limit group using the command line, issue the following command: 

idsldapdelete -D <adminDN> -w<adminPW> -i<filename>

where <filename> contains: 

#list additional DNs here, one per line
cn=Search1, cn=localhost

To remove multiple search limit groups, list the DNs. Each DN must be on a separate line.



[ Top of Page | Previous Page | Next Page | Contents | Index ]