Cohabitation/Migration ODSEE->OUD: dn-based search resource limits
By Sylvain Duloutre-Oracle on Apr 30, 2012
Oracle Unified Directory 11g Release 1 (11.1.1) provides a mechanism to replicate data between Oracle Directory Server Enterprise Edition and Oracle Unified Directory. Depending on the ODSEE features used, the OUD configuration may need to be adapted to provide the same service transparently to client application.
Both ODSEE and OUD provide ways to control ressources used by a directory user. The following limits are provided by OUD at the global configuration level:
- ds-cfg-size-limit specifies the maximum number of entries that can be returned to the client during a single search operation.
- ds-cfg-time-limit specifies the maximum length of time that should be spent processing a single search operation
- ds-cfg-lookthrough-limit specifies the maximum number of entries that the Directory Server should "look through" in the course of processing a search request. This includes any entry that the server must examine in the course of processing the request, regardless of whether it actually matches the search criteria.
- ds-cfg-idle-time-limit specifies the maximum length of time that a client connection may remain established since its last completed operation
The corresponding configuration attributes in ODSEE are search-size-limit, search-time-limit, look-through-limit, idle-timeout. Such configuration mapping is automatically provided by tools like ds2oud.
Server limits for search operations can also be controlled using special operational attribute values assoaicted with the user binding to the directory. These attributes are stored as part of the directory data, so they are replicated between ODSEE and OUD. Attribute names (and sometimes values) vary so the OUD configuration need to be extended to deal with that:
entries may contain the following resource
limit attributes: nsSizeLimit, nsTimeLimit, nsLookThroughLimit,
nsIdleTimeout. Corresponding attributes on OUD are
ds-rlim-lookthrough-limit,ds-rlim-idle-time-limit.In order to replicate
the functionality correctly, the
OUD schema (02-config.ldif) must be modified so that each DSEE attribute
related to resource limits is declared as an alias name for each
OUD attribute. An alias can be declared in an attributeType declaration as below:
attributeTypes: ( 18.104.22.168.4.1.26027.1.1.244 NAME ( 'ds-pwp-password-policy-dn' 'alias-for-ds-pwp-password-policy-dn')
On DSEE, -1 is used to disable a resource limit. On
OUD, 0 is used. One way to address this difference is to create a virtual
attribute on OUD to override the content of the OUD attribute when the value of
the DSEE attribute is equals to -1. A virtual attribute must be created for the
4 attributes mentioned, as described below:
--type user-defined --set attribute-type:ds-rlim-size-limit \ --set filter:”(nsSizeLimit=-1)” \ --set conflict-behavior:virtual-overrides-real \ --set value:"0" --set enabled:true
dsconfig create-virtual-attribute --name "mapping nsTimeLimit " --type user-defined --set attribute-type:ds-rlim-time-limit \ --set filter:”(nsTimeLimit=-1)”\ --set conflict-behavior:virtual-overrides-real \ --set value:"0" --set enabled:true
dsconfig create-virtual-attribute --name "mapping nsLookthroughLimit" --type user-defined --set attribute-type:ds-rlim-lookthrough-limit --set filter:”(nsLookthroughLimit=-1)” --set conflict-behavior:virtual-overrides-real --set value:"0" --set enabled:true
dsconfig create-virtual-attribute --name "mapping nsIdleTimeout " \ --type user-defined --set attribute-type:ds-rlim-idle-time-limit \ --set filter:”(nsIdleTimeout=-1)”\ --set conflict-behavior:virtual-overrides-real \ --set value:"0" --set enabled:true
More information about account-based resource limits is available here.